Posts on nagg.eu

Fiddling with IoT home security

Sun, 08 Dec 2024 00:00:00 +0000

Last year I installed an IoT home security system; back then I did not bother to connect it to the internet mostly because of my own laziness but also because IoT most of the times rhymes with: overpriced crap prone to also being a security nightmare.
I am not going to name the brand, but it is fairly well known and its pricing is not on the cheap side (€ 700 for main unit and external keyboard).
Hardware wise it is well made, just by looking at it one could tell that quite some engineering was poured into it, it has all kind of expansion cards and the quality seems more than decent.
Software, hard to say though.
Just to be on the safe side, I have put it into its own network segment which is segregated from the rest of the network.

Remotely unlock a full disk encrypted Fedora 40 server

Sun, 20 Oct 2024 00:00:00 +0000

What I have been doing in 2020 and before doesn’t seem to work anymore, ence it is time to publish a new episode of the saga: how to remotely unlock a full disk encrypted Linux machine.
dracut-sshd still works perfectly even though the surroundings changed a bit.

First step is instructing dracut to add dracut-sshd into initramfs:

$ sudo dnf install dracut dracut-network openssh
$ git clone https://github.com/gsauthof/dracut-sshd.git
$ cd dracut-sshd
$ sudo cp -ri 46sshd /usr/lib/dracut/modules.d

Configure grub to instruct dracut to add networking to initramfs:

We are in the cloud

Sat, 08 Jul 2023 00:00:00 +0000

We are in the cloud, running on someone else’s computer.

Mikrotik RouterOS WAN traffic sniff Suricata IDS

Sat, 21 Jan 2023 00:00:00 +0000

Preface: this is the poor’s man way of hooking up Suricata IDS to ~~Mikrotik~~ any router.
Better ways would be using port mirroring or putting Suricata host directly in front of the router.

My goal was to have all network traffic coming and going from internet mirrored into the suricata virtual machine.
Network schema is the following:
(internet) <-> routeros <-> debian_hypervisor <-> (linux bridge) <-> Suricata_VM

There are few ways of doing this, the one which is in my opinion the lesser evil involves:

Monitoring DNS BIND with Zabbix

Wed, 17 Aug 2022 00:00:00 +0000

Shockingly enough out of the box Zabbix (version 6) does not include any template to monitor a very crucial compontent every organization: DNS.
Like most open source aficionado my DNS of choice is BIND named.
Luckily Zabbix has a pretty huge community and plenty of templates for it are freely available, a quick search on the interwebz lead me to this page.
Kudos to whoever wrote this template, I just took it and tweaked it a little bit.

Sony WF-1000XM4 on Linux Fedora 35

Thu, 23 Dec 2021 00:00:00 +0000

Last week I converted myself to wireless earphones.
I don’t consider myself an audiophile, I don’t have any deep knowledge of music but I kinda enjoy listening to it.
Because of this I have had a few decent pairs of headphones, earphones and monitor speakers in my life; they all shared a thing: cables.
Last week I pulled the trigger and bought myself my very first pair of wireless earphones: Sony WF-1000XM4.
The main idea was to use them with the phone and maybe with work issued laptop which is running Windows, I did not even thought they would work with my Linux laptop.
But to my biggest surprise they just work on Linux, no fiddling with bluetoothhcl or btmgmt; just enable BT in Gnome settings, long press for 5 seconds on both earphones to activate pairing mode and wait for them to pair.

Thinkpad T480 firmware update in Linux using fwupd

Sat, 23 Oct 2021 00:00:00 +0000

For the most part I never cared much about upgrading firmware because if it works don’t mess with it is usually my rule.
I also don’t care much about having installed the latest version of Intel “““NSA botnet””” Management Engine, it is a piece of trash anyway so I might as well not have the latest updates.
But since I have some issues with the NVME drive (very slow reads, it is most definitely dying) I figured a system wide firmware upgrade wouldn’t be a bad thing.
The interwebz says the best way to upgrade firmware on Linux is using a tool called fwupd; it basically gives the user access to a massive repository of firmware which are provided and signed by hardware companies themselves.
Dealing with closed source crapware and binary blobs always gives some headhace, of course having fwupd working was not free of any hassle: it downloads everything, gives no error/warning, but after rebooting nothing gets installed.

Debian QEMU/KVM bridged networking and VLAN

Sun, 25 Jul 2021 00:00:00 +0000

By default on every Linux distro after installing QEMU and libvirt two kinds of networking are available:

NAT: VM sits behind a NAT.
MACVTAP: without going into much details it acts more or less like a bridged network, except not really. One of the most annoying limitations is that host to guest communication and vice versa are not really working well. Other important things might be broken as well, like for example VRRP. This mode is good for quick and dirty testing but not really for a stable environment.

BRIDGED networking is also supported by libvirt but requires some manual work.
A possible networking schema could be the following:

Keepalived and libvirt MACVTAP network interfaces

Wed, 13 Jan 2021 00:00:00 +0000

Keepalived is a routing software written in C that can be used to setup load balancing and high availiability for Linux machines.

NOTE: hypervisor is Debian 10 (Buster) with libvirt and qemu/kvm, virtual machines also are Debian 10 (Buster).

Keepalived configuration

Install keepalived:

$ apt install keepalived

Install nginx, it will be use to check that keepalived is actually working:

$ apt install nginx
$ systemctl enable --now nginx

Configure keepalived:

$ vi /etc/keepalived/keepalived.conf
---
global_defs {
 enable_script_security # prevents tampering with the check script
 script_user root # defines which user runs the check script
}

vrrp_script chk_nginx {
 script "/opt/scripts/nginx-check.sh"
 interval 2 # run script every 2 seconds
 weight 2 # add 2 points if OK
}

vrrp_instance VI_1 {
 interface enp2s0 # interface to monitor
 virtual_router_id 51
 priority 101 # MASTER 101, BACKUP 100
 advert_int 1
 nopreempt # comment to not have the VIP go back to MASTER 
 # -> when it comes back online
 authentication {
 auth_type PASS
 auth_pass myPass # maximum 8 chars
 }
 virtual_ipaddress {
 10.10.0.12/24 # VIP (Virtual IP Address)
 }
 track_script {
 chk_nginx
 }
}

Also add a script to check if nginx is alive and well:

Wireguard VPN Linux and IOS setup guide

Mon, 04 Jan 2021 00:00:00 +0000

Wireguard is an open source software and communication protocol which aims to provide a simpler and safer alternative to OpenVPN.
Compared to OpenVPN both client and server configuration are much simpler and mantaining a PKI is also not required.
Performance wise Wireguard is also faster than OpenVPN.

SERVER: Debian 10 (Codename Buster)

As of today Wireguard is not included in Debian 10 stable repos, so it is required to enable backports to install it:

LUKS encrypted TGT ISCSI target and initiator

Sat, 26 Dec 2020 00:00:00 +0000

After the CentOS fiasco (good job Redhat/IBM) and since we are more or less in lockdown I decided to invest a couple of days to migrate my home infra from CentOS 7 to Debian 10.
One of my physical machines, which was also CentOS 7 based, is used as ISCSI target.

Debian 10 - Server A.K.A. Target

Install the required packages:

$ sudo apt-get install tgt dkms

Create a device backstore:

OPENWRT first run configuration guide

Sat, 12 Dec 2020 00:00:00 +0000

OpenWRT is a free open source Linux based operating system aimed at networking hardware.
Every time the system is upgraded to a newer version using the so called Sysupgrade BIN image every package the user manually installed gets lost; this makes the upgrade process very tedious especially if one does not properly write down all the customization he has made.
I don’t use many custom packages but QoS, DNS-over-HTTPS, USB support and vnstat are must have.

Remotely unlock a full disk encrypted Fedora 33 server

Tue, 08 Dec 2020 00:00:00 +0000

Last year I blogged on how to remotely unlock a full disk encrypted Fedora/CentOS server.
The software I used, dracut-crypt-ssh, is not supported anymore and stopped working for me on Fedora 32 and 33.
A quick DDG search pointed me in the right direction and made me find a similar software that accomplishes the same task: dracut-sshd.

$ sudo dnf install dracut dracut-network openssh libblkid-devel gcc
$ git clone https://github.com/gsauthof/dracut-sshd.git
$ cd dracut-sshd
$ sudo cp -ri 46sshd /usr/lib/dracut/modules.d

After compiling and installing dracut-crypt-ssh configure grub to instruct dracut to add networking to initramfs:

Siemens IOT2050

Sun, 24 May 2020 00:00:00 +0000

A few weeks ago Siemens released a very much needed upgrade of the IOT2000 platform; the newcomer is called IOT2050 and is a huge step forward compared to the very very underpowered IOT2040.
I have had one for a few days laying on my desk but I just found the time to play with it today.
Other than the new hardware, the officially supported operating system also changed from Yocto Linux to Debian Buster (kudos for dropping Yocto).

XMPP audio and video calls

Sun, 03 May 2020 00:00:00 +0000

Ejabberd has supported STUN/TURN for quite some time now, this in conjunction with client support can be used to implement one on one audio and video calls.
Since version 2.8.0 Conversations Android client added audio and video call functionality by leveraging on STUN/TURN and XEP-0215.
The rest of the XMPP world is following the route opened by them, so I expect to see IOS and regular computer XMPP clients to finally implement these new features too in the upcoming months.
Enabling audio and video calls in Ejabberd is actually pretty simple.
Provided you have installed the latest release (version 20.04), edit ejabberd.yml:

Microsoft Teams on Fedora and Wayland with screenshare

Mon, 27 Apr 2020 00:00:00 +0000

Since the whole COVID19 pandemic hoax started a couple of months ago, working from home has become the new hip thing every company brags about on every social media known to humankind.
The first step to be able to call yourself a proper COVID19 ready(tm) company is the ability to bother every employees with just a few mouse clicks.
So here we are, with Microsoft Teams(tm) and a lot of other not very secure and massively bloated software elected as the center of the office life.
Coffee break? XYZ software chatroom. Kick-off meeting? XYZ software chatroom. And so on.
Because of my special snowflake syndrome and my deep hatred for all things Microsoft and especially Windows I always end up making my life a bit harder.
After having used Teams in a Windows 10 VM (after all I paid for a license when I got my latest Thinkpad) for a few weeks, I decided it was time to finally try to make it work on my main OS: Fedora 31.
The catch was also that I wanted to do that more or less without installing any third party non free software.
The OS I use is Fedora 31, which comes with pipewire and xgd-desktop-portal both installed and configured out of the box.
Since using the official closed source Electron crapware client was out of the question, the obvious choice was to make Microsoft Teams work in a regular WEB browser.
The situation is the following:

nagg.eu TOR onion mirror

Sun, 01 Mar 2020 00:00:00 +0000

Here at nagg.eu we are strong believers in internet anonymity and privacy, for this reason we are proudly announcing the launch of nagg.eu onion mirror.
Onion mirror version of the website is still work in progress and still contains links to third party clearnet domains.
Use with caution.

InfluxDB max user`s password length

Sat, 29 Feb 2020 00:00:00 +0000

Apparently Microsoft is not alone when it comes to utterly retarded design decisions.
A few years ago when signing up for a Microsoft account I discovered that for some reason they enforce a maximum password lenght of 16 characters or something around that.
Well, InfluxDB not only does the same thing but also silently fails to create the user account when the password is considered too long.
Took me at least half an hour to figure out why this piece of trash kept vomiting {"error":"authorization failed"}.
Double checked my docker-compose file, curl parameters, read InfluxDB useless documentation which, of course, makes no mention of password lenght limits.

Weihrauch HW 77 K pellet comparision

Sat, 04 Jan 2020 00:00:00 +0000

This is gonna be a very unusual post, in some way it is still about technology even if it is not about the usual IT stuff I write of.
I have a Weihrauch HW 77 K spring air rifle I mostly use to shoot in my backyard or terrace.
When it comes to air guns I always have troubles finding proper reviews and comparisons online, so I figure it might be worth sharing my findings here.

New Gohugo theme

Tue, 24 Dec 2019 00:00:00 +0000

Since I apparently got recurring readers (no, for real, I do) I suspect someone might actually have noticed how the look of the blog changed drastically a few weeks ago.
To explain what happened a bit of backstory is required; this blog is built using a static website generator called Gohugo, the way it works is basically the following:

choose or build a theme from scratch.
Write some articles in Markdown or some other memetic markup language.
Customize the theme and look of the website by editing a yaml configuration file.
Feed everything to the Gohugo binary which will produce some sleek plain HTML, CSS and maybe JS files.
rsync the files to a webserver.
??
Profit!!

Couple of months ago Gohugo developers introduced a few changes in the site builder engine that broke backward compatibility with every existing theme, unfortunately the developer of the one I was using still has to make it compatible.
So here is how nagg.eu got a nice solarized look.

Kubernetes cluster for manufacturing engineering: tale of an epic commissioning

Wed, 23 Oct 2019 00:00:00 +0000

- Introduction

A quite big company that produces parts for some of the most important automotive industry companies was interested in a cloud-based system to monitor the overall efficiency of their production machines, analyze some key parameters and optimize the production activities scheduling.
Goal of the project was to connect eleven industrial manufacturing machines to the cloud, extract specific machine data and develop a web application for the visualization and management of such data, while guaranteeing information confidentiality and security.
Furthermore, one fundamental requirement of such system has been the bidirectional integration with the customer’s ERP system, in order to synchronize the production JOBs and manage their execution on the corresponding machines.
To fulfill such requirements, the project team has engineered and then implemented an hybrid edge-cloud solution in which the software has been packed into various containers that are orchestrated and managed, at the edge level, by a Kubernetes cluster.
This technology ensures an optimal load balancing between the available resources as well as a high availability in case of hardware or software failures.
While IT enterprises do not question the value of containerized applications anymore, the use of such kind of technologies within a manufacturing environment hasn’t been completely explored yet.
In the following paragraphs we will go into details on how we engineered and built the system despite all the difficulties we had to overcome.

FreeBSD, Nginx and htpasswd file generation

Sun, 01 Sep 2019 00:00:00 +0000

On most Linux distros it is possible to generate the htpasswd file entries simply using the htpasswd command line util.
On FreeBSD the easiest way to accomplish the same task is using OpenSSL itself:


openssl passwd -apr1

Enter the password twice to get a nice hash, copy that in the htpasswd file with the usual user:password_hash syntax.

Disable head parking Western Digital drives

Sun, 04 Aug 2019 00:00:00 +0000

Most Western Digital hard drives’ firmware let the heads park themselves after a certain amount of seconds in case the disk is not actively performing any operation.
This might be useful to keep power consumption under control but is actually harmful for disks that run 24/7 (WD Red for example).
Luckily there is a way to disable head parking, this can be done directly from Linux using a tool called idle3ctl.

FreeBSD, NGINX and TLSv1.3

Sat, 29 Jun 2019 00:00:00 +0000

After a six months hiatus here is a new blogpost.
This saturday I finally found the time to upgrade the configuration of the server that hosts this very website.
Software stack is pretty simple: FreeBSD (version 12.0-p6),nginx (version 1.15.10) and OpenSSL (version 1.1.1a-freebsd).

Install the required software:


$ pkg install nginx-devel py36-certbot

Get a SSL certificate from letsencrypt:


$ certbot-3.6 certonly --standalone -d domain.tld -d www.domain.tld

Certfiles location is /usr/local/etc/letsencrypt/live/<domain.tld>, you might, or might not, want to move them to another directory.

qemu/KVM PCI passthrough

Sat, 26 Jan 2019 01:00:00 +0000

PCI passthrough is the process of attaching a PCI-E device directly to a VM; CPU support (namely VT-D for Intel and AMD-V for AMD) and motherboard support (IOMMU) are required for PCI passthrough to work properly.
Hardware configuration used:


AMD Ryzen 1700x
Gigabyte X370 K7
Nvidia Geforce GTX260
32 GiB of RAM and a few HDDs
Fedora 29 as host OS

The system only has a single graphic card because it is normally used as headless compute server for which a GPU is not really required; the graphic card is also very very old Nvidia Geforce GTX260 with a standard non UEFI BIOS.
If using an UEFI enabled graphic card it is probably required to install the OS in UEFI mode using a virtual UEFI BIOS.
This guide assumes you already have a working Windows virtual machine and are familiar with libvirt.
First of all, edit GRUB to enable IOMMU and blacklist nouveau kernel module so that the graphic card is not picked up anymore by the host:

Remotely unlock a full disk encrypted Fedora/CentOS server

Sat, 26 Jan 2019 00:00:00 +0000

The idea here is to be able to power on and unlock a remote Full Disk Encrypted (FDE from now on) server.
I will leave the how “remotely power on” to the reader to figure out and focus on the other part.
The easiest way to accomplish it is by using a program called: dracut-crypt-ssh.


$ yum install dropbear dracut dracut-network openssh libblkid-devel gcc
$ git clone https://github.com/dracut-crypt-ssh/dracut-crypt-ssh.git
$ cd dracut-crypt-ssh
$ ./configure
$ make
$ sudo make install

After compiling and installing dracut-crypt-ssh configure grub to instruct dracut to add networking to initramfs:

Resize QCOW2 disk image

Wed, 05 Dec 2018 00:00:00 +0000

QCOW2 disk images can be easily grown using libvirt command line utils.
Unfortunately it isn’t possible to grow QCOW2 images in-place or online.
First of all, power off the virtual machine, grow the file and make a copy of it:


$ qemu-img resize image.qcow2 +200G
$ cp image.qcow2 image-new.qcow2

Identify the specific partion you intend to grow:


$ virt-filesystems -a image.qcow2 -l
Name Type VFS Label Size Parent
/dev/sda1 filesystem ext4 - 536870912 -
/dev/sda3 filesystem xfs - 45885612000 -

Expand the actual partition:

Intel CPU, Hyper-Threading and Spectre STIBP mitigation

Sat, 17 Nov 2018 00:00:00 +0000

Yesterday I was reading phoronix 0 and phoronix 1 articles on STIBP mitigation impact on CPU performance, since I run a pretty old laptop equiped with a Sandy Bridge CPU I figured that I should do my own tests to see how bad things really are or aren’t.

CPU: Intel Core i3-2310M - 2 cores / 4 threads
Motherboard: Lenovo Thinkpad
RAM: 2x4 GB DDR3 @1333 MHz
HDD: Plextor M5pro

OS: Fedora 29 x86_64 with stock kernels

My benchmark of choice is compiling the Linux kernel (version 4.19.2).
What I do is download the kernel version to /dev/shm ramdisk and compile it using the defconfig configuration while checking how many seconds it takes to complete the task.

Xorg present flip failed

Sat, 17 Nov 2018 00:00:00 +0000

In the last couple of months Xorg has been crashing more or less on a daily basis.
What happens is that while you are there browsing the internet, or certain times even doing literally nothing, Xorg crashes and after a second of black screen the user is sent back to the login page.
Hardware configuration of my machine is:


CPU: AMD Ryzen 7 1700x
Motherboard: Gigabyte X370 K7 - BIOS F23d
RAM: 2x16 GB DDR4
HDD: Samsung 850 Pro
GPU: Nvidia GTX260

Monitor 0: Dell U2412M connected via DVI-D
Monitor 1: Dell U2412M connected via HDMI-DVI cable

OS: Fedora 28 and Fedora 29 x86_64
GPU driver: nouveau, various versions
others: varius versions of Linux, Xorg, mesa, etc

I don’t think having two monitors is the culprit nor using a very old Nvidia graphic card is because a friend of mine runs a completely different system (AMD Radeon RX480, single monitor connected using Display Port) and still suffer from the very same problem.
Upgrading from Fedora 28 to Fedora 29 nor installing updates in a timely manner solved the issue for me; searching on the interwebz also did not yeld any result.
After yet another crash, today I finally decided it was time to investigate the issue.
First thing I noticed is that Xorg log file is literally spammed with the following error:

FreeBSD network performance on KVM/Qemu

Tue, 13 Nov 2018 00:00:00 +0000

Today I red an article that was comparing Fedora 29 and FreeBSD 11.2 network performance in a KVM/Qemu environment.
Since I use KVM/Qemu and also Fedora and Freebsd I powered on a couple of vm and did my own tests.
Results are quite interesting, I expected FreeBSD to be faster but it turns out Fedora 29 actually is.
Host system configuration:


CPU: Ryzen 7 1700x @4 GHz
Motherboard: Gigabyte X370 K7 - BIOS F23d
RAM: 2x16 GB DDR4 @3133 MHz CAS 16
HDD: Some Samsung SSD

Operating systems
Host: Fedora 29 x86_64
Fedora VM0: Fedora 29 X86_64
Fedora VM1: Fedora 29 X86_64
FreeBSD VM0: FreeBSD 11.2 x86_64
FreeBSD VM1: FreeBSD 11.2 x86_64

Virtualization techonology: Qemu+KVM
Linux kernel version: 4.18.17-300.fc29.x86_64

What I did was setup 2 hidentical Fedora 29 virtual machines and 2 hidentical FreeBSD 11.2 virtual machines, every one of them had iperf3 installed on it.

Nginx and XMPP over TLS

Sun, 28 Oct 2018 00:00:00 +0000

XMPP over TLS (formerly XEP-0368) is a clever mechanism that allows users to connect to a XMPP server from networks that restrict outgoing traffic only to specific ports; this block is circumvent by routing XMPP traffic via port TCP 443.
If the server hosts only a XMPP server setting up XMPP over TLS is pretty easy, just instruct the server to listen on port 443.
If the server also runs a webserver which is listening on port 443 things are a bit more complicated; luckily Nginx provides a way to manage XMPP traffic and redirect it to the XMPP server.

GNU TAR and memory caching

Wed, 10 Oct 2018 18:00:00 +0000

Guess it is time to write my first post using Hugo.
Yesterday I downloaded a torrent consisting of 2 years worth of 4chan posts, the plan was to mess with it and use the data to train a chatbot.
Dealing with big datasets is always fun because even the easiest tasks tend to get complicated, for example extracting the data from a ~3 GB tar.gz compressed archive was a challenge by itself.
Running “tar -xzvf archive.tar.gz” resulted in TAR/the Linux kernel eating the whole available memory to use it as cache, when that was down to ~200 MB of free RAM my workstation started lagging so hard that even Xorg was freezing for a couple of seconds every 20 or so seconds.
To solve the issue what I did was running the following commands:

CentOS 7: failed to open \efi\centos\grubx64.efi

Wed, 26 Sep 2018 12:52:55 +0000

For some reason one of my CentOS 7 boxes decided to nuke itself yesterday, when I powered it on it prompted me with the following error: “failed to open \efi\centos\grubx64.efi”.
What I did to fix it is:

Boot up a rescue USB, mount the required partitions and chroot.
Add a DNS server:


$ echo "nameserver *.*.*.*" >> /etc/resolv.conf

Enable networking using ifconfig (in my case it was already enabled).
Install some additional grub2 modules:


$ yum install grub2-efi-modules

Reinstall grub, read “/etc/fstab” or “lsblk” command to find it:


$ /sbin/grub2-install /dev/boot/partition

Reinstall grub:


$ yum reinstall grub-efi shim

Rebuild grub.cfg file:


$ grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

Remote encrypted backup with iSCSI and LUKS2

Mon, 27 Aug 2018 19:19:08 +0000

The idea here is to have a LUKS2 encrypted volume stored on a remote server that allows authenticated clients to load and decrypt the data without letting the server know what is being written, read and stored.
Keep in mind that this solution is not 100% bulletproof, you still kind of have to trust the backup server because a malicious entity might take multiple snapshots of the encrypted iSCSI LUN and try to crack the encryption.

LUKS2 the right way: Argon2

Tue, 14 Aug 2018 19:27:09 +0000

Version 2 of cryptsetup got a few new fancy options, one of them is the ability to use Argon2 as key derivation function.
Creating a LUKS2 volume with Argon2 as hash function is very easy:

sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdb

Please note that grub still does not support it, so it can’t be used for boot drives.
Once the volume is created, to mount it run:

Generate a secure SSH key

Fri, 10 Aug 2018 14:42:19 +0000

In Fedora, CentOS and probably many other Linux distros ssh-keygen; still defaults to RSA 2048.
People have not yet realized that the newer, and also faster, elliptic curve cryptography is available; even between my peers I still see that many of them are using old and insecure RSA based keys. Since SSH clients support multiple keys transitioning to newer keys can be painless:

create a new elliptic curve key;
do not delete the old RSA key;
once you login into a server swap the old key with the new one.
Generating a new secure SSH key is pretty simple, just open a terminal and run:

ssh-keygen -o -a 256 -t ed25519

Generate a secure GPG key

Fri, 10 Aug 2018 10:22:56 +0000

For some reason gpg gen-key still defaults to SHA1 and RSA2048, due to the known weaknesses of SHA1 it is probably a better idea to use SHA256.
First of all, we need to create a configuration file.

cat ~/.gnupg/gpg.conf"
---
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

To generate a new key type (also specify to use RSA 4096):

gpg --gen-key
### or
gpg --full-generate-key

Other useful commands are:

Configure apcupsd on CentOS

Mon, 25 Jun 2018 18:04:19 +0000

Apcupsd is a powerful daemon that can be used to manage APC UPS, add epel repositories and run:

$ yum install apcupsd

To configure apcupsd edit the following file:

cat /etc/apcupsd/apcupsd.conf"
---
## apcupsd.conf v1.1 ##
# 
# for apcupsd release 3.14.14 (31 May 2016) - redhat
#
# "apcupsd" POSIX config file

#
# Note that the apcupsd daemon must be restarted in order for changes to
# this configuration file to become active.
#

#
# ========= General configuration parameters ============
#

# UPSNAME xxx
# Use this to give your UPS a name in log files and such. This
# is particulary useful if you have multiple UPSes. This does not
# set the EEPROM. It should be 8 characters or less.
UPSNAME apcups

# UPSCABLE <cable>
# Defines the type of cable connecting the UPS to your computer.
#
# Possible generic choices for <cable> are:
# simple, smart, ether, usb
#
# Or a specific cable model number may be used:
# 940-0119A, 940-0127A, 940-0128A, 940-0020B,
# 940-0020C, 940-0023A, 940-0024B, 940-0024C,
# 940-1524C, 940-0024G, 940-0095A, 940-0095B,
# 940-0095C, 940-0625A, M-04-02-2000
#
UPSCABLE usb

# To get apcupsd to work, in addition to defining the cable
# above, you must also define a UPSTYPE, which corresponds to
# the type of UPS you have (see the Description for more details).
# You must also specify a DEVICE, sometimes referred to as a port.
# For USB UPSes, please leave the DEVICE directive blank. For
# other UPS types, you must specify an appropriate port or address.
#
# UPSTYPE DEVICE Description
# apcsmart /dev/tty** Newer serial character device, appropriate for 
# SmartUPS models using a serial cable (not USB).
#
# usb <BLANK> Most new UPSes are USB. A blank DEVICE
# setting enables autodetection, which is
# the best choice for most installations.
#
# net hostname:port Network link to a master apcupsd through apcupsd's 
# Network Information Server. This is used if the
# UPS powering your computer is connected to a 
# different computer for monitoring.
#
# snmp hostname:port:vendor:community
# SNMP network link to an SNMP-enabled UPS device.
# Hostname is the ip address or hostname of the UPS 
# on the network. Vendor can be can be "APC" or 
# "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap 
# catching; you usually want "APC". Port is usually 
# 161. Community is usually "private".
#
# netsnmp hostname:port:vendor:community
# OBSOLETE
# Same as SNMP above but requires use of the 
# net-snmp library. Unless you have a specific need
# for this old driver, you should use 'snmp' instead.
#
# dumb /dev/tty** Old serial character device for use with 
# simple-signaling UPSes.
#
# pcnet ipaddr:username:passphrase:port
# PowerChute Network Shutdown protocol which can be 
# used as an alternative to SNMP with the AP9617 
# family of smart slot cards. ipaddr is the IP 
# address of the UPS management card. username and 
# passphrase are the credentials for which the card 
# has been configured. port is the port number on 
# which to listen for messages from the UPS, normally 
# 3052. If this parameter is empty or missing, the 
# default of 3052 will be used.
#
# modbus /dev/tty** Serial device for use with newest SmartUPS models
# supporting the MODBUS protocol.
# modbus <BLANK> Leave the DEVICE setting blank for MODBUS over USB
# or set to the serial number of the UPS to ensure 
# that apcupsd binds to that particular unit
# (helpful if you have more than one USB UPS).
#
UPSTYPE usb
DEVICE 

# POLLTIME <int>
# Interval (in seconds) at which apcupsd polls the UPS for status. This
# setting applies both to directly-attached UPSes (UPSTYPE apcsmart, usb, 
# dumb) and networked UPSes (UPSTYPE net, snmp). Lowering this setting
# will improve apcupsd's responsiveness to certain events at the cost of
# higher CPU utilization. The default of 60 is appropriate for most
# situations.
POLLTIME 60

# LOCKFILE <path to lockfile>
# Path for device lock file. This is the directory into which the lock file
# will be written. The directory must already exist; apcupsd will not create
# it. The actual name of the lock file is computed from DEVICE.
# Not used on Win32.
LOCKFILE /var/lock

# SCRIPTDIR <path to script directory>
# Directory in which apccontrol and event scripts are located.
SCRIPTDIR /etc/apcupsd

# PWRFAILDIR <path to powerfail directory>
# Directory in which to write the powerfail flag file. This file
# is created when apcupsd initiates a system shutdown and is
# checked in the OS halt scripts to determine if a killpower
# (turning off UPS output power) is required.
PWRFAILDIR /etc/apcupsd

# NOLOGINDIR <path to nologin directory>
# Directory in which to write the nologin file. The existence
# of this flag file tells the OS to disallow new logins.
NOLOGINDIR /etc


#
# ======== Configuration parameters used during power failures ==========
#

# The ONBATTERYDELAY is the time in seconds from when a power failure
# is detected until we react to it with an onbattery event.
#
# This means that, apccontrol will be called with the powerout argument
# immediately when a power failure is detected. However, the
# onbattery argument is passed to apccontrol only after the 
# ONBATTERYDELAY time. If you don't want to be annoyed by short
# powerfailures, make sure that apccontrol powerout does nothing
# i.e. comment out the wall.
ONBATTERYDELAY 6

# 
# Note: BATTERYLEVEL, MINUTES, and TIMEOUT work in conjunction, so
# the first that occurs will cause the initation of a shutdown.
#

# If during a power failure, the remaining battery percentage
# (as reported by the UPS) is below or equal to BATTERYLEVEL, 
# apcupsd will initiate a system shutdown.
BATTERYLEVEL 5

# If during a power failure, the remaining runtime in minutes 
# (as calculated internally by the UPS) is below or equal to MINUTES,
# apcupsd, will initiate a system shutdown.
MINUTES 10

# If during a power failure, the UPS has run on batteries for TIMEOUT
# many seconds or longer, apcupsd will initiate a system shutdown.
# A value of 0 disables this timer.
#
# Note, if you have a Smart UPS, you will most likely want to disable
# this timer by setting it to zero. That way, you UPS will continue
# on batteries until either the % charge remaing drops to or below BATTERYLEVEL,
# or the remaining battery runtime drops to or below MINUTES. Of course,
# if you are testing, setting this to 60 causes a quick system shutdown
# if you pull the power plug. 
# If you have an older dumb UPS, you will want to set this to less than
# the time you know you can run on batteries.
TIMEOUT 60

# Time in seconds between annoying users to signoff prior to
# system shutdown. 0 disables.
#ANNOY 300
ANNOY 0

# Initial delay after power failure before warning users to get
# off the system.
#ANNOYDELAY 60
ANNOYDELAY 1

# The condition which determines when users are prevented from
# logging in during a power failure.
# NOLOGON <string> [ disable | timeout | percent | minutes | always ]
NOLOGON disable

# If KILLDELAY is non-zero, apcupsd will continue running after a
# shutdown has been requested, and after the specified time in
# seconds attempt to kill the power. This is for use on systems
# where apcupsd cannot regain control after a shutdown.
# KILLDELAY <seconds> 0 disables
KILLDELAY 0

#
# ==== Configuration statements for Network Information Server ====
#

# NETSERVER [ on | off ] on enables, off disables the network
# information server. If netstatus is on, a network information
# server process will be started for serving the STATUS and
# EVENT data over the network (used by CGI programs).
NETSERVER on

# NISIP <dotted notation ip address>
# IP address on which NIS server will listen for incoming connections.
# This is useful if your server is multi-homed (has more than one
# network interface and IP address). Default value is 0.0.0.0 which
# means any incoming request will be serviced. Alternatively, you can
# configure this setting to any specific IP address of your server and 
# NIS will listen for connections only on that interface. Use the
# loopback address (127.0.0.1) to accept connections only from the
# local machine.
NISIP 127.0.0.1

# NISPORT <port> default is 3551 as registered with the IANA
# port to use for sending STATUS and EVENTS data over the network.
# It is not used unless NETSERVER is on. If you change this port,
# you will need to change the corresponding value in the cgi directory
# and rebuild the cgi programs.
NISPORT 3551

# If you want the last few EVENTS to be available over the network
# by the network information server, you must define an EVENTSFILE.
EVENTSFILE /var/log/apcupsd.events

# EVENTSFILEMAX <kilobytes>
# By default, the size of the EVENTSFILE will be not be allowed to exceed
# 10 kilobytes. When the file grows beyond this limit, older EVENTS will
# be removed from the beginning of the file (first in first out). The
# parameter EVENTSFILEMAX can be set to a different kilobyte value, or set
# to zero to allow the EVENTSFILE to grow without limit.
EVENTSFILEMAX 10

#
# ========== Configuration statements used if sharing =============
# a UPS with more than one machine

#
# Remaining items are for ShareUPS (APC expansion card) ONLY
#

# UPSCLASS [ standalone | shareslave | sharemaster ]
# Normally standalone unless you share an UPS using an APC ShareUPS
# card.
UPSCLASS standalone

# UPSMODE [ disable | share ]
# Normally disable unless you share an UPS using an APC ShareUPS card.
UPSMODE disable

#
# ===== Configuration statements to control apcupsd system logging ========
#

# Time interval in seconds between writing the STATUS file; 0 disables
STATTIME 0

# Location of STATUS file (written to only if STATTIME is non-zero)
STATFILE /var/log/apcupsd.status

# LOGSTATS [ on | off ] on enables, off disables
# Note! This generates a lot of output, so if 
# you turn this on, be sure that the
# file defined in syslog.conf for LOG_NOTICE is a named pipe.
# You probably do not want this on.
LOGSTATS off

# Time interval in seconds between writing the DATA records to
# the log file. 0 disables.
DATATIME 0

# FACILITY defines the logging facility (class) for logging to syslog. 
# If not specified, it defaults to "daemon". This is useful 
# if you want to separate the data logged by apcupsd from other
# programs.
#FACILITY DAEMON

#
# ========== Configuration statements used in updating the UPS EPROM =========
#

#
# These statements are used only by apctest when choosing "Set EEPROM with conf
# file values" from the EEPROM menu. THESE STATEMENTS HAVE NO EFFECT ON APCUPSD.
#

# UPS name, max 8 characters 
#UPSNAME UPS_IDEN

# Battery date - 8 characters
#BATTDATE mm/dd/yy

# Sensitivity to line voltage quality (H cause faster transfer to batteries) 
# SENSITIVITY H M L (default = H)
#SENSITIVITY H

# UPS delay after power return (seconds)
# WAKEUP 000 060 180 300 (default = 0)
#WAKEUP 60

# UPS Grace period after request to power off (seconds)
# SLEEP 020 180 300 600 (default = 20)
#SLEEP 180

# Low line voltage causing transfer to batteries
# The permitted values depend on your model as defined by last letter 
# of FIRMWARE or APCMODEL. Some representative values are:
# D 106 103 100 097
# M 177 172 168 182
# A 092 090 088 086
# I 208 204 200 196 (default = 0 => not valid)
#LOTRANSFER 208

# High line voltage causing transfer to batteries
# The permitted values depend on your model as defined by last letter 
# of FIRMWARE or APCMODEL. Some representative values are:
# D 127 130 133 136
# M 229 234 239 224
# A 108 110 112 114
# I 253 257 261 265 (default = 0 => not valid)
#HITRANSFER 253

# Battery charge needed to restore power
# RETURNCHARGE 00 15 50 90 (default = 15)
#RETURNCHARGE 15

# Alarm delay 
# 0 = zero delay after pwr fail, T = power fail + 30 sec, L = low battery, N = never
# BEEPSTATE 0 T L N (default = 0)
#BEEPSTATE T

# Low battery warning delay in minutes
# LOWBATT 02 05 07 10 (default = 02)
#LOWBATT 2

# UPS Output voltage when running on batteries
# The permitted values depend on your model as defined by last letter 
# of FIRMWARE or APCMODEL. Some representative values are:
# D 115
# M 208
# A 100
# I 230 240 220 225 (default = 0 => not valid)
#OUTPUTVOLTS 230

# Self test interval in hours 336=2 weeks, 168=1 week, ON=at power on
# SELFTEST 336 168 ON OFF (default = 336)
#SELFTEST 336

The configuration I use is pretty simple, basically shutdown the server if the power is down for more than one minute.
ANNOY flag is also disabled (set to 0) because I do not need it on headless servers.

APC UPS and HP server gen8 not restarting automatically when power goes back online after shutdown procedure is already starded but not completed

Mon, 25 Jun 2018 17:35:54 +0000

I have got my hands on an APC UPS and some HP gen8 server, installed apcupsd on CentOS 7, connected the USB cable and everything was working fine except for this very annoying issue I had: * power goes down (pull the UPS power cord).

after some minutes the UPS battery threshold is triggered and the server shutdown procedure is launched by apcupsd.
power goes back up (plug in the power cord) while the server is already shutting down but the shutdown sequence is not yet completed.

RESULT: the server will not power itself up even if the correct setting is selected in BIOS (last power state or always on).
If the power stays offline for enough time for the server to completely shutdown and for the UPS to also shutdown once the power goes back online the server starts up automatically like it is supposed to do.
The only workaround I could think of to solve the issue is running a cron job on the router, which is running OpenWRT, to trigger wake-on-LAN for the server.
I don’t really like this solution, it feels hackish but still I could not find a better way to make the damn server power on automatically all by himself.
As for OpenWRT and wake-on-LAN, first of all install etherwake from LuCI or opkg:

OpenVPN: tun tap invalid argument (code=22)

Fri, 11 May 2018 12:29:10 +0000

After upgrading my OpenVPN server to CentOS 7.5 I had trouble connecting to it.
Specifically, I had two different issues:
** the laptop, which is running Fedora 28, was able to connect just fine but DNS resolution was broken.
** OpenVPN for Android was also connecting just fine but reporting a weird error: OpenVPN: tun tap invalid argument (code=22).
The first one was caused by me because after the CentOS upgrade procedure was completed I also run yum autoremove which deleted dnsmasq; the solution was fairly simple, reinstall and reconfigure dnsmasq.
For the second issue the solution was to enable comp-lzo and voilà, everything started working again.

Nginx, PHP-FPM, SELinux and sendmail

Fri, 23 Mar 2018 13:54:15 +0000

Since I am a real master at forgiving things I am writing this one down.
PHP mail function relies on sendmail but SELinux by default block webservers from sending emails, the usual error that pop-out is:

cat /var/log/maillog">
---
sendmail[16328]: NOQUEUE: SYSERR(nginx): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied

Allow webservers to send email is as easy as editing the appropriate SELinux boolean:

setsebool -P httpd_can_sendmail 1

Use sestatus to check SELinux booleans:

Compile LineageOS 15.1 for Oneplus 3 on Fedora

Thu, 08 Mar 2018 18:40:39 +0000

LineageOS in Android Oreo flavor is finally here, I guess it is time to update the guide I wrote a while back.
Most of the stuff is exactly the same, for the sake of simplicity this guide will be pretty much a copy and paste of the old one with just some bits changed here and there.
Required packages on Fedora are (rpmfusion repo must be previously installed):

Firejail and symlink pointing outside of home directory

Tue, 19 Dec 2017 18:03:27 +0000

I normally move /home/user/Downloads off /home/user to a secondary mechanical drive and then symlink it back to /home/user.
Firejail for security reasons does not allow whitelisting directories residing outside of the home directory, the simplest solution I found is mount Download directory using mount --bind.

sudo mount --bind /mnt/data/Downloads/ /home/user/Downloads

To make the change permanent edit fstab:

cat /etc/fstab
---
/mnt/data/Downloads /home/user/Downloads none bind

Free Suunto Ambit3 from the botnet

Wed, 06 Dec 2017 18:08:55 +0000

Suunto makes some solid sport-watches, problem is that the management software is comprised of a closed source synchronization program (compatible with Windows and OSX only) and some cancerous cloud web interface accessible directly from their website.
Even putting aside my personal aversion for closed source software, it is clear that this approach is retarded because an internet connection is required to be able to download any kind of data from the watch.
What if I don’t have any signal? What if I don’t want to upload my data to Suunto’s servers?
Luckily some good lads reverse engineered the communication protocol used by the watch to speak with the PC synchronization client, and even more, they also wrote an open source Linux compatible tool that can be used to download data from the watch.
This tool is called: Openambit
The version included in Fedora 27 repositories is not up to date and does not support the Ambit3 Run I own, luckily the github version does.

AMD Ryzen, DDR4 Dual Rank and BankGroupSwap

Fri, 10 Nov 2017 17:10:47 +0000

If I had to guess I would say that more than 90% of AMD Ryzen based builds use Single Rank memory sticks.
Finding any information regarding how Dual Rank DDR4 perform, how they react to overclock or even worse, what memory settings are the best is pretty much mission impossible.
Since I use Dual Rank DDR4, because, face it, it is 2017 and 16 GB of RAM does not cut it anymore, I had to dig in unexplored territories to find out what the best settings are.
What follows are my personal findings on the impact of BankGroupSwap setting on system performance.

LEDE/OPENWRT first run configuration guide

Sat, 04 Nov 2017 13:33:49 +0000

LEDE, formerly OpenWRT, is a free open source Linux based operating system aimed at networking hardware.
Every time the system is upgraded to a newer version using the so called Sysupgrade BIN image every package the user manually installed gets lost; this makes the upgrade process very tedious especially if one does not properly write down all the customization he has made.
I don’t use many custom packages but QoS, USB support and vnstat are a must have.

Zabbix and XMPP alerts

Mon, 23 Oct 2017 17:44:14 +0000

Zabbix should theoretically be able out of the box to send alerts via XMPP.
For some reason this functionality does not work as intended, luckily it is possible to specify a custom script to send alerts; combining the aforementioned script with the Perl library sendxmpp is the easiest way to enable Zabbix from sending notifications via XMPP.

$ yum install sendxmpp

Create a bash script, this will be invoked by Zabbix to send notifications:

Zabbix server on CentOS 7 and SELinux

Mon, 23 Oct 2017 11:28:46 +0000

Zabbix is an open source resource and network monitoring system, more info: zabbix.com.
The official wiki is missing some important bits regarding the installation of the tool on CentOS 7 systems.
First of all, let’s add Zabbix repository and then proceed to with the installation of Zabbix and some required dependecies:

$ rpm -ivh http://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-1.el7.centos.noarch.rpm
$ yum install mariadb mariadb-server httpd zabbix-server-mysql zabbix-web-mysql setroubleshoot

Configure MariaDB

Self hosting Firefox Sync on CentOS 7

Wed, 18 Oct 2017 17:22:49 +0000

Configuring this piece of poorly documented bloated shit Mozilla came up with was a huge pain in the ass, so excuse the colored language but I am fucking pissed.
The idea was to finally implement a system to synchronize Firefox’s bookmarks across multiple devices without giving Mozilla all my personal data.
After some minutes spent researching the subject on the interweb I found out the synchronization system is a huge clusterfuck comprised of multiple components:

CentOS and yum - Error: rpmdb open failed

Tue, 29 Aug 2017 12:23:37 +0000

Today I had Ansible reporting an error on one of my CentOS machines while performing the usual upgrade procedure.
I SSH’d into the host to check what was wrong and run yum clean all && yum update manually just to be greeted with the following error:

rpmdb: PANIC: fatal region error detected; run recovery
error: db3 error(-30974) from dbenv->open: DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db3 - (-30974)
error: cannot open Packages database in /var/lib/rpm
CRITICAL:yum.main:

Error: rpmdb open failed

The solution to the issue luckily was fairly simple and quick:

NFS on Fedora

Thu, 20 Jul 2017 20:33:48 +0000

NFS allows to share files and folders over network and is much much faster than samba while using way less resources.
To setup a NFS server on Fedora 26 install:

$ dnf install nfs-utils

Shared directories are listed in the following configuration file:

---
# Syntax
# <path> <ipaddr>(<option>)
/home/user/Public 192.168.0.0/255.255.255.0(ro,sync)

More information can be found here: Fedora NFS administration guide.
In the above example, the the directory ‘/home/user/Public’ can be accessed by every client in the same LAN with read-only permissions.
In case SELinux is active and enforcing rules some further configuration might be required:

AMD Ryzen on Linux

Sat, 17 Jun 2017 10:52:37 +0000

Finally we have some new hardware worth writing of and also spending money on.
I have been using an AMD Ryzen 7 1700X based build for some time now and so far I am really liking it, the CPU is marvelous considering the pricetag and felt like a worthwhile upgrade from the Xeon E3-1241v3 I was using before; it is basically twice the cores clocked at pretty much the same speed. Awesome.
There are a couple of points worth spending some words on tho.

Handbrake, compile from source on Fedora 25

Tue, 13 Jun 2017 14:03:27 +0000

Handbrake cannot be installed from default repos nor rpmfusion, to get it on Fedora 25 there are two other options:

use negativo17 third party repository;
compile from source.
The first option is, but that is my opinion, subpar because I don’t trust third party repositories; option two is what is left.
Download the source code from git and install some dependencies:

$ git clone https://github.com/HandBrake/HandBrake.git
$ sudo dnf install dbus-glib-devel gstreamer1-devel gstreamer1-plugins-base-devel intltool libgudev1-devel libnotify-devel webkitgtk3-devel libgudev-devel dbus-glib-devel webkitgtk3-devel gstream-devel libnotify-devel gstreamer1-devel gstreamer1-plugins-base-devel lame-devel opus-devel fribidi-devel libass-devel libtheora-devel x264-devel nasm

Like I do with every other program I like to keep as much up to date as possible, I have a small script to take care of compilation, installation and upgrade processes for me.

Gajim and OMEMO on Gentoo Linux

Sat, 11 Mar 2017 13:43:53 +0000

OMEMO is the new-ish state of the art end-to-end encryption XMPP protocol extension, Gajim support it via a plugin but making it work on Gentoo is not straightforward at all.
Gajim’s OMEMO plugin requires python-axolotl package to work, since that is not present in Gentoo’s repositories it must be installed from source.
Before doing so a couple of dependencies must be installed first:

$ emerge -a dev-python/protobuf-python
$ chmod o+w /usr/lib64/python3.4/site-packages/protobuf-3.2.0-py3.4.egg/EGG-INFO/namespace_packages.txt
$ emerge -a dev-python/pillow dev-python/qrcode

The chmod command fix some permission issue that arise when installing packages depending on protobuf-python if Python 3.4 support is enabled.
Get and compile python-axolotl:

Monitor hard disk health status with smartd on Linux

Thu, 02 Feb 2017 10:20:34 +0000

This does not really works, read this: https://nagg.eu/monitor-hard-disk-smart-status-in-python/

First of all install smartmontools, it has the same name on pretty much every distro:

$ emerge -a1 smartmontools

Proceed to edit its configuration file, at the bottom of the file there is a quick explaination of all the available parameters:

cat/etc/smartd.conf
---
DEVICESCAN -H -R 1 -R 5 -R 7 -R 10 -R 11 -R 196 -R 197 -R 199 -R 200 -m user@domain.tld -n standby,10,q

Parameter -H tells smartd to check the result of overall-health self-assesment test which is pretty much useless, -R is used to specify a single SMART attribute, if its value changes a mail is sent to user@domain.tld.
To send emails a MTA must be installed, in centos that is sendmail, in gentoo it is not strictly necessary to have a full fledget MTA installed, nullmailer will suffice.
If it is not already installed:

Compile LineageOS for Oneplus 3 on Fedora 25

Sun, 08 Jan 2017 21:11:07 +0000

Android community is one big cancerous clusterfuck, it is no wonder that finding a decent guide on how to compile Android from source written in a somewhat comprehensible english is pretty much mission impossible.
Cyanogenmod Inc. shutting down their wiki and services overnight surely didn’t help either.
Required packages on Fedora 25 are (rpmfusion repo must be previously installed):

$ sudo dnf install screen java-1.8.0-openjdk-devel git schedtool ncurses-devel ncurses-libs ncurses-compat-libs ImageMagick-devel libstdc++-devel bison gnupg lzma

For some reason the compilation process stores some temporary files in /tmp which, in Fedora 25, is mounted on a tmpfs ramdisk.
In case the ramdisk runs out of space for some retarded reason the build process instead of halting will go on like nothing happens and produce borked binaries as output.
To keep /tmp mounted on HDD run:

Manually backup/restore Android application's data

Sun, 08 Jan 2017 18:00:00 +0000

Android stores application’s data in /data/data directory, it can be accessed via adb only on a rooted phone.
To make a backup copy the correspondent directory:

$ adb root
$ adb pull /data/data/eu.siacs.conversations

Application’s data can also be extracted from a full system backup made with TWRP:

$ tar -xvf data.ext4.win000

Restoring the backup is the tricky part since Android uses SELinux and every app has it’s own unix user.
Before copying back on the phone the already backupped files reinstall the app from f-droid or whatever, then proceed as follow:

BTRFS RAID10 on Gentoo

Sun, 08 Jan 2017 16:59:10 +0000

Btrfs is fairly stable and with the latest kernels it is becoming even a better alternative to the most commonly used EXT4 and XFS filesystems.
While not being always better or faster it brings to the table a huge amount of improvements that makes it by far the best filesystems for storage.
XFS itself is moving in the very same direction and will probably have in the near future some of the features Btrfs already has (e.g. copy on write).
No MDADM or partitioning is needed, to create a RAID10 with 4 HDD just type (where /dev/sd[X] is the disk whole disk, not a partition):

Ejabberd HTTP File Upload (XEP-0363)

Mon, 14 Nov 2016 18:36:53 +0000

XMPP module HTTP File Upload (formerly XEP-0363) provides a way to share files between XMPP clients, it works transparently and even in multi user chats.
The sender uploads a file on an HTTP(S) server that will then generate an URI, this is sent to each one of the recipients that can then download it.
The interesting bits about this XEP are various:

File sharing now works even in multi-user chats (MUC), in any case the file is only uploaded a single time even if the recipients are more than one.
Peer-to-peer file transfer, be it in-band (XEP-0234: Jingle File Transfer) or out-of-band (XEP-0065: SOCKS5 Bytestreams), is slow, unreliable, does not work in MUC and does not work if the recipient is offline.
HTTP File Upload supports both client-server encryption (HTTPS) and end-to-end encryption when used in conjunction with OMEMO encryption (as per today this is supported by Conversations on Android and Gajim desktop client).
3.1. When using OMEMO encryption the files are stored encrypted on the server, this makes it impossibile for ejabberd to create a thumbnail if the file sent is a picture.
To enable HTTP File Upload module with HTTPS enabled in ejabberd edit ejabberd.yml configuration file: >

listen:
 -
 port: 5443
 ip: "0.0.0.0"
 module: ejabberd_http
 request_handlers:
 "upload": mod_http_upload
 tls: true
 protocol_options: 'TLS_OPTIONS'
 dhfile: 'DH_FILE'
 ciphers: 'TLS_CIPHERS'

modules:
 mod_http_upload:
 docroot: "/home/ejabberd/upload" # this must be a valid path, user ownership and SELinux flags must be set accordingly
 put_url: "https://@HOST@:5443/upload"
 access: local
 max_size: 25000000 #25 MByte
 thumbnail: false
 file_mode: "0644"
 dir_mode: "0744"
 mod_http_upload_quota:
 max_days: 2

shaper:
 soft_upload_quota:
 - 250: all # MiB
 hard_upload_quota:
 - 10000: all # MiB

define_macro:
 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 'TLS_OPTIONS':
 - "no_sslv2, no_sslv3, no_tlsv1"
 - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 - "no_compression"
 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096

Add an iptables rule to allow traffic coming from port TCP 5443:

Copy Linux sparse files over network

Wed, 09 Nov 2016 18:19:35 +0000

Sparse files are nice to use to store virtual machine’s virtual disks but can be a real pain in the ass to backup efficiently, especially over the network.
Luckily rsync provides a way to intelligently copy sparse files both locally and over the network.
The trick is use --sparse and --inplace options.
Let’s say we have a sparse 60 GB qemu virtual disk with only around 7 GB used:

$ ls -lh fedora24.qcow2 
-rw------- 1 root root 61G Nov 8 19:11 fedora24.qcow2
$ du -h fedora24.qcow2 
7.2G	fedora24.qcow2

The first thing to note is that ls does not recognize sparse files while du does.
The first time a file is copied use the --sparse option:

CM13 reboot when opening gallery

Tue, 02 Aug 2016 16:00:27 +0000

All Cyanogenmod 13 nightly builds past July 28 seem to be affected by a bug that makes the phone reboot just a few seconds after opening the Gallery application.
The issue seems to be related to the newly added support to sdcardfs which obviously isn’t playing well at the moment.
A workaround to prevent the phone from crashing and rebooting is to edit the build.prop file located in /system; this can be done either via adb using the command adb shell or more practically directly on the phone using the built in file manager and text editor (provided that in file manager’s settings access mode option is set to Root access mode).

RawTherapee: compiling from source on Fedora 23

Mon, 13 Jun 2016 21:50:17 +0000

RawTherapee from my experience is by far the best program to manipulate RAF files, it’s demosaic algorithm for Fujifilm X-Trans sensors is astonishingly good.
Too bad that, like for Darktable, the version included in Fedora’s repos is outdated to say the least.
To install from source first install some dependecies:

$ sudo dnf install bzip2-devel cmake exiv2-devel expat-devel fftw-devel gcc-c++ glib2-devel glibmm24-devel gtk3-devel gtkmm30-devel lcms2-devel libcanberra-devel libiptcdata-devel libjpeg-turbo-devel libpng-devel libsigc++20-devel libtiff-devel zlib-devel gtkmm24-devel lensfun-devel

Git clone and install

Darktable: compiling from source on Fedora 23

Sat, 14 May 2016 19:47:08 +0000

Darktable documentation on this matter is somewhat fragmented, so I figure a small how-to on how to install it from source on Fedora 23 could be useful.
The version included in the official repositories is really old (version 1.6.9 as per today) and is missing some important presets for many widely used cameras.
The latest version source code archive can be downloaded from here: https://github.com/darktable-org/darktable/releases.
Before compiling and installing the software the following dependencies must be installed:

Automating Ejabberd upgrade procedure with Ansible

Mon, 08 Feb 2016 23:11:28 +0000

CentOS repos (both official and EPEL) does not provide an up to date version of Ejabberd, installing from source is the only way if one want or need a version from this century.
Problem is that doing things manually is a never ever a good idea, luckily Ansible and a bit of Python love come to rescue.
Supposing Ejabberd is already installed and configured (I wrote a post on the subject a couple of years ago: https://nagg.eu/ejabberd-xmpp-server-configuration-guide//) the following Ansible script will take care of all the steps needed to upgrade to a newer version of Ejabberd

TWRP with FS encryption and CM13 support for OPO

Sat, 23 Jan 2016 18:46:49 +0000

Android ROM scene is cluster fuck of inhumane proportion; the complete lack of documentation, decent how-to, decent guides and the retarded works for me attitude the whole community has really amazes me.
TWRP project is a good example of a really useful tool used by [millions] of people all over the world, one would assume that it has to be maintained in a professional way but this is as far from the reality as something can get.
The official site lacks any kind of documentation, the only information one can find there are either completely useless or partial and incomplete (e.g. the how to build from source guide linked on TWRP faq page is a link to a XDA forum post saying absolutely nothing on how to build this shit).
Not only that, but the site download page (one would hope that at least that part was taken care of…) is not up to date.
For bacon (oneplus one), which is a really popular phone among modders, the latest version present in the download page of the official TWRP site is the buggy and completely useless twrp-2.8.7.0-bacon.
To get the latest version (twrp-2.8.7.1-bacon) which supports file-system encryption on CM13 and correctly flash the baseband ROM one has to dig through a whole pile of shit on XDA and finally find a post where pajeet post a link where to download it: http://build.twrp.me/twrp/twrp-2.8.7.1-bacon.img
The irony is that the link is from the TWRP official site even though it can’t be found anywhere on the bacon download page on the very same site.
In case someone decide to delete the file I am rehosting it here: https://nagg.eu/misc/twrp-2.8.7.1-bacon.img

mdadm RAID on Linux

Thu, 21 Jan 2016 21:06:19 +0000

Every time I have to setup a software RAID in Linux using mdadm I forget something, this time I am writing it down once and for all (or at least I hope so).
For the sake of simplicity I will use the creation of a RAID1 as example but this very same procedure can be applied for any other kind of RAID.

RAID array creation

1. Partition the drives

This step must be repeated for each drive of the array (/dev/sdb and /dev/sdc in my case).

Defragment XFS file system

Wed, 20 Jan 2016 18:18:18 +0000

XFS just like EXT4 (I wrote a post about it last year) supports online defragmentation, to manage those volumes on CentOS and Fedora xfsprogs package is needed.
Fragmentation level of XFS volumes can be checked with the command:

[root@CentOS ~]$ xfs_db -c frag -r /dev/sdb1
actual 4491, ideal 4006, fragmentation factor 10.80%

To perform online defragmentation of XFS volumes run the following command:

QEMU+KVM, reclaim disk space

Tue, 17 Nov 2015 11:06:29 +0000

After some time qcow2 images tend -especially after taking snapshots- to grow bigger and bigger, even bigger than the maximum size specified at creation time.
QEMU provides a tool called virt-sparsify (install libguestfs-tools package in CentOS 7) that can effectively make a virtual machine disk thin provisioned (space is not preallocated, only the actual space needed is used).
virt-sparsify has a nice number of options, the most interesting one is --in-place, it tells QEMU to shrink the volume in place without requiring any addition space.

CentOS, DNSCrypt and pdnsd

Sun, 01 Nov 2015 22:40:27 +0000

DNSCrypt installation process is pretty simple since it is present in the repository, pdnsd on the other hand is missing, luckily compiling from source is not that hard.
For the sake of completeness I will also cover the procedure to install DNSCrypt from source, alternatively yum install dnscrypt-proxy.
Install the required dependencies and get the source code:

[root@CentOS ~]# yum install gcc libsodium-devel libtool-ltdl-dev git wget
[root@CentOS ~]# git clone https://github.com/jedisct1/dnscrypt-proxy.git
[root@CentOS ~]# wget http://members.home.nl/p.a.rombouts/pdnsd/releases/pdnsd-1.2.9a-par.tar.gz

pdnsd

Compile and install:

Setting up Vim on Fedora

Sat, 17 Oct 2015 14:34:09 +0000

Since every time I am about to install Vim I forgot how to set it up, set it as default system wide text editor and so on I figure I’ll write it down once and for all.
First of all let’s install Vim, specifically the so called enhanced version which is capable of loading plugins and colorschemes:

[user@Fedora ~]# sudo dnf install vim
### powerline plugin
[user@Fedora ~]# sudo dnf install vim-plugin-powerline

I personally really like molokay colorscheme from tomasr; putting it in the default colorscheme directory does the trick if we want to use it for every user.

ejabberd and fail2ban

Wed, 16 Sep 2015 18:54:42 +0000

Fail2ban is a useful tool capable of mitigating brute force attacks performed against a multitude of services (ejabberd in our case).
Configuration is split between a multitude of files: jail.conf defines which filters are active while the filters scripts are placed in ./filter.d directory.

[root@CentOS ~]# vi /etc/fail2ban/jail.conf
---
bantime = 1200
findtime = 1200
maxretry = 10

backend = auto

[ejabberd-auth]
enabled = true
port = 5222,5280,7777
action = iptables-multiport[name=ejabberd, port="5222,5269,5280,777", protocol=tcp]
logpath = /var/log/ejabberd/ejabberd.log
---

[root@CentOS ~]# vi /etc/fail2ban/filter.d/ejabberd-auth.conf
---
[Definition]

failregex = ^=INFO REPORT====  ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$
                ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$
                ^.* Failed authentication for \S+ from <HOST>$
                ^.* from <<"<HOST>">> failed with error: <<"inexistent-account">>$
                ^.* from <<"<HOST>">> failed with error: <<"bad-password">>$
                ^.* from <<"<HOST>">> failed with error: <<"badformed-jid">>$

ignoreregex =

[Init]

journalmatch =
---

The first two regular expressions are for user authentication while the others are for administration panel login.
Other useful commands are:

ejabberd SOCKS5 proxy – file transfer

Thu, 03 Sep 2015 14:08:00 +0000

Ejabberd XMPP server includes a SOCKS5 proxy, setting it up correctly is what makes the difference between fast or very slow file transfer operations.
As per XEP-0065 file transfer is either peer-to-peer or mediated by a proxy server.
In Conversation peer-to-peer transfer is done by converting the file in base64, split it in 4 kb chunks sent one at the time always awaiting first for the ACK of the precedent one; this makes the whole process painfully slow and bandwidth consuming.
The other file transfer method supported by Conversation is defined by XEP-0234 (or Jingle file transfer) which relies on a SOCKS5 proxy and also allow to negotiate parameters like encryption.
Ejabberd configuration:

DNScrypt-proxy 1.6.2, new configuration

Tue, 18 Aug 2015 17:24:15 +0000

The latest version of DNScrypt-proxy does not use anymore a single configuration file (/etc/conf.d/dnscrypt-proxy) but instead completely relies on systemd.
Configuration is now split in two different files.

[root@arch ~]# cat /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service
---
[Unit]
Description=DNSCrypt client proxy
Requires=dnscrypt-proxy.socket

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
Type=simple
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy \
 --resolver-address=185.97.7.7:27015 \
 --provider-name=2.dnscrypt-cert.fvz-rec-de-fra-01.dnsrec.meo.ws \
 --provider-key=9FCC:EB74:6856:238D:AC57:428B:DE4F:D9C6:E736:5370:E9F9:5415:3BD3:6EBE:A8C2:FAFE \
 --user=nobody

…and…

[root@arch ~]# cat /etc/systemd/system/dnscrypt-proxy.socket
---
[Unit]
Description=dnscrypt-proxy listening socket
After=network.target

[Socket]
ListenStream=127.0.0.2:53
ListenDatagram=127.0.0.2:53

[Install]
WantedBy=sockets.target

Firefox freeze/is not responding

Mon, 15 Jun 2015 14:45:43 +0000

After some years of using Firefox (currently version 38.0.5) with Session Restore enabled (the browser saves all the tabs from the previous session and reload them at the next start-up) it started to act weird and freeze for around 10 seconds 3 or 4 times a day.
This very annoying behavior is caused by the presence of multiple useless Session Restore files.
To delete those files open a new tab and type about:support in the address bar, then in the Application Basics area click on the Open Directory button placed next to Profile Directory.
Delete every file named sessionstore_something_.js and everything inside sessionstore-backups directory.
Close and reopen Firefox, this should solve the problem.

Nginx, PHP-FPM caching done right

Wed, 22 Apr 2015 23:38:54 +0000

The whole web is full of pseudo guides on how to properly - that is the key word here - configure Nginx to perform caching alongside with PHP-FPM, but every single one of them fails to mention some minor steps resulting in a borked half functioning implementation.
For example, not a single one mention the necessity to edit /etc/php.ini and set session.use_cookies to 0.
Too bad that without doing so caching with WordPress in combination with certain plugins or themes (for example MainWP or Enfold theme) is completely not working; the following headers get added to every HTTP response:

Pacman email updates notification

Mon, 13 Apr 2015 18:54:24 +0000

Pacman as long as I know does not provide any method for sending an email notification when there are updates available.
SSH into the Arch box just to find out if there are updates available is really annoying so I wrote a simple bash script to do the dirty work on my behalf.

[root@arch ~]# cat /etc/cron.daily/check4updates.sh 
#!/bin/bash

HOST=hostname
DOMAIN=domain
SUBJECT="System update: $HOST@$DOMAIN"
EMAIL_ADDR="name@domain"

### Query pacman for available updates
updates_raw=$(pacman -Syu <<< n)

if echo $updates_raw | grep "there is nothing to do"
then
	echo Everything is up to date
else
	updates=${updates_raw#*Packages ([1-9])}

	### extract packages update list
	up_raw=${updates%Total Download*}
	up=$(echo $up_raw | tr ' ' '\n')
	#echo -e "$up" > report.txt

	### extract update size
	us=${updates#*Total Download*}
	#echo -e "\nTotal Download $us" >> report.txt

	### compose email
	email_text="New updates available for host $HOST\n\n$up\n\nTotal Download$us"
	echo -e "$email_text" | mail -s "$SUBJECT" "$EMAIL_ADDR"
fi

To schedule the cron job to run everyday at 1 am edit the following files:

Defragment EXT4 file system

Fri, 10 Apr 2015 16:55:03 +0000

EXT4 is usually pretty good at keeping files fragmentation at minimum, but, sometimes, especially if dealing with really huge files, some fragmentation may actually occur.
Luckily EXT4 supports online defragmentation, command fsck displays, among other things, fragmentation percentage:

[root@fedora ~]$ fsck.ext4 -fvn /dev/sda1
e2fsck 1.42.12 (29-Aug-2014)
Warning! /dev/sda1 is mounted.
Warning: skipping journal recovery because doing a read-only filesystem check.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

 429 inodes used (1.31%, out of 32768)
 **5 non-contiguous files (1.2%)**
 1 non-contiguous directory (0.2%)
 # of inodes with ind/dind/tind blocks: 0/0/0
 Extent depth histogram: 420
 45161 blocks used (34.46%, out of 131072)
 0 bad blocks
 1 large file

 402 regular files
 17 directories
 0 character device files
 0 block device files
 0 fifos
 0 links
 1 symbolic link (1 fast symbolic link)
 0 sockets
------------
 420 files

The command e4defrag, which is contained in e2fsprogs, can be used to perform online defragmentation of EXT4 volumes.

Yum email updates notification

Sun, 15 Mar 2015 18:50:16 +0000

Yum provides a very useful package called yum-cron, its most publicized feature is the ability to enable yum to run nightly cron scheduled packages upgrades.
I honestly don’t really think it is a good idea at all to let the system manage updates by himself but yum-cron can be used for another bunch of tasks, the most interesting one being: send an email if there are updates available.

yum install yum-cron

Configuration is actually pretty simple.

Email server: Dovecot and Postfix

Fri, 20 Feb 2015 14:23:20 +0000

Postfix configuration

Install the required software:

$ yum install postfix postgrey dovecot fail2ban spamassassin 
spamass-milter-postfix opendkim

Create TLS certificate, key and CA authority (replace mail.domain.tld with a valid domain name):

$ mkdir /etc/postfix/ssl
$ cd /etc/postfix/ssl
$ openssl genrsa -aes256 -out mail.domain.tld.key 4096
$ chmod 600 mail.domain.tld.key
$ openssl req -sha256 -new -key mail.domain.tld.key -out mail.domain.tld.csr
$ openssl x509 -sha256 -req -days 1825 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
$ openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
$ mv mail.domain.tld.key.nopass mail.domain.tld.key
$ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 -sha256
$ chmod 600 mail.domain.tld.key
$ chmod 600 cakey.pem
$ openssl dhparam -out dhparams.pem 4096
$ chmod 600 dhparams.pem

Edit main.cf file accordingly (the other lines should be ok by default).
No SQL database is used, for user authentication postfix relies on Linux users, email data are stored in ~/Maildir.

KVM and PCI (VGA) passthrough

Mon, 19 Jan 2015 18:16:20 +0000

First off, I failed so there will not be any kind of walk-through or guide.
Hardware/software setup is sub-optimal and is for sure part of the problem for at least three reasons:

as primary display adapter I use an Nvidia GTX 750ti;
I use Nvidia proprietary driver because nouveau support for newest graphic cards isn’t good (this is an understatement to say the least);
it isn’t completely clear if Intel Z97 chipset supports VT-D or not and if it does on what level it does.
The whole configuration is:
– Xeon E3-1241v3
– Gigabyte Z97X-UD5H (BIOS F8)
– Crucial DDR3 2×8 GB PC3-12800
– Nvidia GTX 750ti :: host graphic card
– ATI HD7950 :: VM graphic card
Another issue is the complete lack of documentation on vfio_pci and VGA passthrough in general, even Fedora KVM related documentation is not up to date and make no mention of vfio kernel module; the best place to get information on the subject is a thread on the Arch Linux forum but even this time the whole process is not documented in a decent way.
Anyway, I had this beefy HD7950 lying around and I thought: why not give VGA passthrough a try? After configuring the thing with information I found around the net I got prompted with the following error:

vfio: error, group 1 is not viable, please ensure all devices within the iommu_group are bound to their vfio bus driver

PCI slot isolation on this Gigabyte sucks, both the ATI (first slot) and Nvidia (second slot) – I tried every slot combination – are bound to the same IOMMU group and even patching and recompiling a custom kernel with ACS overrider and VGA arbiter lock patches didn’t really solve the issue.
Just before giving up I took out the Nvidia and plugged in an old Matrox PCI graphic card, this way with the IOMMU group #1 used only for the ATI HD7950 I was able to start the VM so VGA passthrough works at least to some extent on this Gigabyte motherboard.
Some questions like an integrated graphic card will be bound to the same IOMMU group as PCI-E graphic cards? or using two ATI would make any difference? remain unanswered.
For reference I also gave Virtualbox a try since they advertise PCI passthrough too, when starting the VM the whole host system freeze…so no luck with it either.

Fedora 21 and MTP

Wed, 10 Dec 2014 10:35:51 +0000

In order to be able to mount a MTP device (in my case it is a Oneplus One) in thunar file manager the following packages are needed: simple-mtpfs libmtp fuse fuse-libs gvfs-mtp. After installing the previous listed packages restart the system.
Once installed the device can me be mounted with simple-mtpfs _directory_, unmounted with fusermount -u _directory_ or mounted with thunar/gigolo/etc.

Android, Firefox and video corruption

Tue, 09 Dec 2014 10:51:50 +0000

When playing html5 videos with my 1+1 (Cyanogenmod 11 – snapshot M11 – Android 4.4.4 with ART runtime) using Firefox 33.1 (version 34 does not fix the bug either) audio works fine while video is completely corrupted with grey artifacts all over the place.
The problem appears to be quite common and is not only circumscribed to 1+1.
The best workaround so far is type about:config in the address bar, search for media.stagefright.omxcodec.flags and set its value to 8 to disable video hardware acceleration (0 lets android pick the best option and 16 forces hardware acceleration always on).
Firefox 36, which is currently in nightly stage, should come with a patch that will actually solve the issue but I am not comfortable with running a browser in alpha/beta stage so for now I will live without video hardware acceleration.

OnePlus One

Tue, 14 Oct 2014 19:26:44 +0000

Two weeks ago while wasting time on the interwebs I found by accident a couple of OnePlus One invites.
To be honest I wasn’t planning on buying a new phone since my previous Nexus 4 is still serving me well but seeing OPO price (299 € for the 64 GB one) and specs I said: well, fuck it.
So far I like it very much, the bigger screen makes general usage more enjoyable and battery life is significantly better than Nexus 4, it lasts 2 days without many problems.
I can’t really comment on Cyanogenmod OPO edition or whatever the stock ROM is called since I used it for just the bunch of minutes necessarily to enable USB debug, unlock the bootloader and install recovery and stock Cyanogenmod 11 snapshot M11.
One thing I for sure don’t like is the unlock screen, stock Cyanogenmod one is way way better but that’s pretty much it, can’t say more.

Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2

Tue, 09 Sep 2014 18:02:32 +0000

Everyone who knows me a little bit knows how much I dislike Google but this time we really should thank them for taking a real step toward a more secure web.
They are finally moving away from SHA-1 to the much more secure SHA-2, more info can be found here: http://googleonlinesecurity.blogspot.it/2014/09/gradually-sunsetting-sha-1.html

.:. Setup

CentOS 6.5 x86_64
nginx/1.6.1
OpenSSL 1.0.1e-fips 11 Feb 2013

Nginx developers provide an up to date repository (http://wiki.nginx.org/Install)for CentOS:

pdnsd automatic startup Arch Linux

Sat, 30 Aug 2014 11:01:53 +0000

I have this Arch Linux based ODROID-U3 I use as DLNA server, local web server…etc…and also as local DNS caching server.
For some strange reason pdnsd doesn’t seem to start correctly on Arch Linux.

[root@server ~]# systemctl status pdnsd -l
● pdnsd.service - proxy name server
 Loaded: loaded (/usr/lib/systemd/system/pdnsd.service; enabled)
 Active: failed (Result: exit-code) since Sat 2000-01-01 20:02:07 CET; 14 years 7 months ago
 Process: 182 ExecStart=/usr/bin/pdnsd (code=exited, status=3)
 Main PID: 182 (code=exited, status=3)

Jan 01 20:02:06 server systemd[1]: Starting proxy name server...
Jan 01 20:02:06 server systemd[1]: Started proxy name server.
Jan 01 20:02:06 server pdnsd[182]: Error in config file (line 11): Failed to get IP address of eth0: Cannot assign requested address
Jan 01 20:02:07 server systemd[1]: pdnsd.service: main process exited, code=exited, status=3/NOTIMPLEMENTED
Jan 01 20:02:07 server systemd[1]: Unit pdnsd.service entered failed state.

Adding After=network-online.target and Wants=network-online.target in the Unit section of the startup script doesn’t seem to make any difference.
So far the only workaround which really works is adding the line After=multi-user.target in the service script.

Rockbox IPOD Classic mounted as read only

Fri, 29 Aug 2014 11:14:13 +0000

So, I have this big ass fancy IPOD Classic, the stock OS is, like most of the apple stuff, dogshit; I installed Rockbox and gave him new life.
Yesterday I had some strange errors during theme installation (RockboxUtility on Fedora X86_64), files extraction failed or something like this.
At first I thought of a corrupted Rockbox installation, after a bit of thinkering I found out the thing was just mounted as read only; tried to mount it manually with the rw flag but still a no go.
Umount the volume and run fsck.vfat /dev/sd*2 saved the day, now the IPOD is mountable as rw.

ejabberd XMPP server configuration guide

Mon, 11 Aug 2014 16:08:21 +0000

I will be keeping this post up to date to keep track on how to configure and mantain an ejabberd server working efficiently and secure. I strongly advise any reader to read carefully what is written here and not just copy-and-paste the configuration file.
My blog also contains a bunch of other posts regarding ejabberd that are worth giving a look at, use the search form.

Server


CentOS 7.5.1804 x86_64
Erlang/OTP 21.1.1-1 x86_64
ejabberd 18.09

Client


LineageOS 15.1 (Android Nougat)
Conversations 2.3.5+fcr

.:. Installation and initial configuration

Download and install erlang (release numbers here may not be up to date):

ODROID-U3 network unreachable

Wed, 16 Jul 2014 17:30:09 +0000

This issue seems to affect not only ODROID-U3 but many other devices and seems to be present on multiple OS too (Arch Linux ARM in my case).
What happen is that after some hours/days of intense network traffic (e.g. a torrent client installed on the board) the system logs are flooded with errors and a page allocation error occurs which results in a network disconnection.
In my case the tool journalctl report a moltitude of smsc95xx 1-2:1.0 eth0: kevent 2 may have been dropped errors.
The workarounds that should (time will tell…) solve the issue consist in creating a file named for example smsc.conf in /etc/modprobe.d and put in it the following string: smsc95xx turbo_mode=N
Disabling turbo mode will prevent the network adapter from sending multiple frames at the same time, single file copy performace in my case is invariated (9.4 MB/s ~) with and without turbo mode and the errors from syslogs are completely gone.

Protect Transmission WEB GUI with nginx and HTTPS

Thu, 19 Jun 2014 17:45:16 +0000

I have this small Odroid-U3 board hooked to a 2 TB USB HDD that every once in a while is also used to download torrents.
Since quite often I manage it with a device connected to the LAN via wi-fi I am definitely a bit more confortable if the web interface of transmission is encrypted.
Like many other times nginx come in our help.
– Arch Linux ARM is the OS used –
First of all, edit the following two lines of transmission config file:

Interesting read on Samba 4

Wed, 11 Jun 2014 16:07:25 +0000

In the last month or so despite not having much spare time I spent a few hours reading an interesting book: Implementing Samba 4
It actually is more than a simple book, it is a well written step-by-step guide on how to install (on Debian 7, not that it makes much difference, the installation is really similar on CentOS for example), configure, manage and even migrate an existing Active Directory domain controller from Windows Server to GNU/Linux.
It consists of 9 chapters each one covering the most important features of Samba 4; everything explained in the book is also integrated with code snippets, scripts and command line examples.
I am sure this book will come real handy in case I will have to setup a GNU/Linux based AD domain controller.

Elantech touchpad and Mint 16

Wed, 09 Apr 2014 15:58:43 +0000

Today I installed Linux Mint on an Asus X551CA laptop.
Everything was fine except Mint being shit and the damn Elantech touchpad being even worse than Mint.
I will never understand why the fuckers at Canonical and whoever is in charge of Mint development are always 6 months late with important updates like new kernels with added hardware support.
The damn Elantech touchpad is supported since kernel 3.12., too bad Mint is stuck with 3.11., so to make it working I had to manually install a newer kernel (version 3.13.9).
Download the following packages…

Systemd mount volume at boot

Tue, 08 Apr 2014 17:11:54 +0000

Since fstab (even with nofail option enabled) doesn’t seem to behave too good when trying to mount at boot something that isn’t actually plugged in (like an USB HDD) I realized it was a good idea to write a small script to run at startup which will be able to handle the situation a bit better.
Arch Linux uses Systemd and even though a rc.local file can be created I decided to take the opportunity to understand a little bit of how it works and write a mount script for it.
Following what’s written here it seems pretty easy, just write a text file and put it in /etc/systemd/system:

Avahi on Arch linux ARM

Thu, 03 Apr 2014 22:50:52 +0000

From wikipedia: Avahi is a FLOSS Zero-configuration networking (zeroconf) implementation, including a system for multicast DNS/DNS-SD service discovery.
Long story short: Avahi is used to resolve hostnames of LAN devices.
I happen to have an ARM box on which runs a pretty minimal Arch Linux installation.
Installing Avahi is pretty easy:

[root@k* ~]# pacman -S avahi nss-mdns

The latest version of Avahi (0.6.31-11) makes use of SO_REUSEPORT which is a new feature introduced in Linux kernel 3.9, the latest official Arch Linux kernel for my platform is 3.8.13.19-2-ARCH so when I try to start the service systemd reports the following error:

Nginx and password protected pages

Wed, 05 Mar 2014 11:26:24 +0000

To password protect a directory xyz and every file and subdirectory in it open the configuration file (nginx.conf or one of the virtual host configuration files) and add the following two lines:

location /xyz/ {
 auth_basic "Restricted Area";
 auth_basic_user_file conf.d/htpasswd;
}

htpasswd file must be encrypted, it can be created using a tool named htpasswd.

[root@xenserver ~]# cd /etc/nginx/conf.d/
[root@xenserver ~]# htpasswd -b htpasswd user password

XenServer 6.2 and fake RAID1

Thu, 27 Feb 2014 13:59:52 +0000

XenServer, like many other bare-metal hypervisors, only supports a small bunch of RAID controllers.
The difference between it and for example VMware ESXi is that XenServer is pretty much a CentOS minimal install with some proprietary administration tools and a pretty decent remote manager (only for Windows as long as I know…) while ESXi is a completely proprietary closed source blob.
XenServer being based on CentOS makes it possible to do many weird unsupported things, like installing it on a software fake RAID on ICH8R.
To install it on a software RAID1 all we have to do is perform the usual installation (without configuring any local storage) on a single HDD (/dev/sda), copy everything on a second drive (/dev/sdb) and use mdadm to build a couple of RAID volumes.
– I’m pretty much only reposting things I read somewhere, I don’t take any credit for this guide –

FLAC+CUE to multiple tracks

Wed, 26 Feb 2014 14:08:25 +0000

Let’s say we have a big single FLAC file we want to split into multiple files, we are on Fedora and we don’t want to use anything but the command line.
First of all:

[root@fedora ~]$ yum install lame ffmpeg shntool cuetools

To split the single FLAC file run:

[user@fedora ~]$ shnsplit -o flac -f file_name.cue -t "%n - %p - %t" file_name.flac

This will produce n single files, -t parameter is used to specify file name format (in this case: track_number – performer – track_name).
To copy metadata from CUE to the single files run:

ZOWIE EC1 eVo CL on Linux

Tue, 28 Jan 2014 18:23:02 +0000

One year ago or so I wrote about my experience using the Logitech G500 on Linux, I like the mouse a lot, especially the scroll wheel, but there were also a couple of issues I couldn’t live with:

no driver for Linux, tuning DPI settings is a real PITA;
the fucker doesn’t track on close to every surface, be it a gadget mousepad you got for free at a meeting, a wooden table, a plastic-something table or a 20 € mousepad.
I don’t want this post to be a rant against Logitech even if I think I’ve all the right to be at least a bit angry since I bought a quite high priced mouse which basically doesn’t work.
Anyway, before using the G500 for 1 year or so I did like 6 years with a Razer Deathadder and I LOVED it (for the reference, it still works like the first day but is in really bad shape aesthetically speaking).
This Zowie is pretty much a Razer Deathadder with the plus of being plug-and-play, no drivers, a button for switching between 450, 1150 and 2300 DPI and tracks on every mousepad I have.

XScreenSaver and backlight

Tue, 21 Jan 2014 14:57:35 +0000

Long story short: in Fedora 20 (and as far as I remember also 19 and 18) XScreenSaver doesn’t power off the monitor backlight when locking the screen.
Being the lazy ass I am it took like me 2 or 3 years to find the motivation to solve the issue.
It was actually pretty simple, no need to edit some obscure config file or else, in XFCE just click on: Application menu -> Settings -> Screensaver.
A window will appear, select Blank Screen Only in the Mode dropdown menu, then switch to the advanced tab, un-check power Management Enabled and check Quick Power-off in Blank Only Mode.
This is it, now every time the screen locks the monitor backlight will also power off.

ejabberd and lost messages, possible “solutions”

Fri, 17 Jan 2014 14:30:12 +0000

Being the tinfoil hat I am I obviously don’t like nor use whatsapp, some time ago I set up my own XMPP server and made a bunch of close friends switch to it.
There are multiple clients for every platform, my personal preference goes to Xabber on Android and Pidgin on GNU/Linux; both support OTR encryption and all around are pretty decent clients.
The only real issue we had so far is the very annoying problem of lost messages; if the internet connection is stable and decent the problem will very likely never come up, too bad that mobile phone internet connection is everything but stable.
Every time there is a switch between EDGE, 3G, HSDPA and 4G the mobile phone is out of reach for some seconds (some time much more than just some).
The switch between let’s say 3G and HSDPA is not predictable, so the client has physically no time to notificate the server that he is about to close the connection and on the other hand the server also has some trouble knowing if someone suddenly disconnect.
Here comes XEP-199 a.k.a. XMPP ping, it is used to probe the clients connection state every X seconds, in my ejabbed (the XMPP server I use) configuration it is set to 60 seconds, so every 60 seconds the server ping every client, if after 32 additional seconds a client has not replied it will be considered as disconnected and any further message sent from everyone to it will be cached by the server and resent the next time the client will be back online.
Enable XEP-199 in ejabberd is pretty easy…

CentOS 6.5 is out

Mon, 02 Dec 2013 17:56:42 +0000

Ok, -everyone- knows it, this new version introduces a number of interesting updates, one above all: openssl version 1.0.1.
Openssl is the library used by many programs to perform encryption tasks, for example it’s used by openssh, webservers, etc etc.
The version included in CentOS 6.4 was really outdated, it doesn’t support TLS v1.2 for example, so I had to install it separately (which is a PITA to say the least).
With the new version included in CentOS 6.5 TLS v1.2 works out of the box, keep up the good work CentOS team.

This is not a comeback

Mon, 02 Dec 2013 17:34:32 +0000

It’s been quite a while since the last time I fired up the single stage (actually, it should be 290 days), let alone having a LN2 session.
Past saturday I went to my grandfather’s place and got him a new PC since his precedent one is, to say the least, outdated.
Anyway, since the old one has some interesting parts I decided to give it a try, hooked it to the single stage and baaaaaaam.

ipset, a clever and effective way to block indesired hosts

Sun, 13 Oct 2013 16:06:38 +0000

This post is meant to be the sequel of the one I wrote one month ago about CentOS as router, transparent proxy, and much more.
A big chunk of the precedent article is on how configure squid and squidGuard to act as a transparent proxy with URLs filtering capabilities.
But there’s a problem with that: nowadays many sites (f4c3b00k.c0m just to name the most annoying one) are HTTPS.
With HTTP one can really easily intercept a packet and read the payload (which contains the URL) but with HTTPS this is not possible anymore since the payload is encrypted.
The only way to be able to read the payload of an HTTPS packet is doing a man-in-the-middle attack with a fake certificate, but that’s not advisable and you really don’t wanna do it.
If, like in my case, we are not interested in what the users are doing but we just want them to not be able to access some sites/services/whatever ipset (combined with iptables) are the right tools for the job.
iptables is a pretty powerful tool, the only real issue is that it doesn’t scale pretty well if the number of the rules is very big, and this is not a good thing since we probably want to blacklist thousands of IPs.
And here comes ipset: with it it’s possible to manage huge blacklists without iptables slowing down.

miniDLNA on Fedora 19

Mon, 07 Oct 2013 17:33:39 +0000

I got a new TV for the living room (a Panasonic Viera TX-L39E6E) which is DLNA capable.
To be honest I’m also planning to build some kind of media center, maybe a really low power one, based on some kind of raspeberry-pi lookalike device.
Anyway, for now I’m using my workstation (Fedora 19 x86_64) to stream video contents using miniDLNA.
First of all, let’s install it with the usual:

$ sudo yum install minidlna

Then, edit the following file:

CentOS as router, transparent proxy, and much more

Mon, 16 Sep 2013 18:59:19 +0000

As usual, long story short: I’ve to setup a firewall to log traffic, block some stuff and do some other things.
– epel repo is required –
The system is made of a single CentOS machine with 2 physical network adapters:

eth0, connected to WAN, static IP address 192.168.0.3
eth1, connected to LAN, static IP address 10.0.0.1/24

.:. Network adapters configuration

WAN network adapter:

[root@CentOS ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
BOOTPROTO="none"
HWADDR="**:**:**:**:**:**"
IPADDR=192.168.0.3
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
DNS=192.168.0.1
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="***"

LAN network adapter:

CyanogenMod 10.1.2 high network traffic

Mon, 02 Sep 2013 22:12:32 +0000

Ok, I know I fucked up, I know everyone who knows me just a little bit would never expect this, but I got my first mobile phone or, like they call them nowadays: a smartphone.
I don’t like the smartphone buzzword since I think the only smart ones here are the guys who are able to sell this stuff for hundreds of bucks to billions of people, so I’ll stick with the old and almost forgotten mobile phone name.
Anyway, I got this brand new Nexus 4, played with it a couple of days and then, following the official guide on CyanogenMod site, I installed the latest stable release of it (based on Android 4.2.2).
– Why the Nexus 4? Because Nexus devices are the only Android phones worth to be bought. –
CyanogenMod works great and with some programs (don’t fucking call them apps, seriously, don’t do it) installed (k-9 Mail, OpenVPN, BusyBox and JuiceSSH) I’m almost able to perform all the tasks I usually do with my workstation or Thinkpad.
The only real issue is the process, or whatever it is, called Google Services using an enormous amount of network resources without any apparent good reason.
Luckily I’ve a friend called DuckDuckGo which in a bunch of seconds was able to tell me how to solve the issue.
The problem seems to be connected to the Google Play Store which is completely retarded and keeps downloading some kind of system updates which obviously is not able to install since I’m not using the stock Android operating system provided by Google.
The solution is pretty simple:

CentOS 6.4, QEMU+KVM

Mon, 19 Aug 2013 22:54:50 +0000

It’s summer, it’s hot as hell, I am back home from mountains and I’ve plenty of free time.
Between a barbecue and the next one I spend my time playing with and learning new stuff: this week new stuff is called QEMU-KVM.
Yesterday I also tried XenServer but to be honest I wasn’t impressed, it just look like to be an old version of CentOS minimal install with some custom repos and a fancy GUI.
I played with it for just a bunch of hours, but the thing that just performing an installation on a software RAID-1 turned out to be a PITA to say the least is a clear sign that it’s not the best tool for my needs.
I swapped a couple of HDDs and in 2 minutes I went back to the already installed CentOS 6.4 with QEMU+KVM.
The client machine, for what it matters, is my Fedora 19 x86_64 workstation, virsh and virt-manager the tools I use for remote administration tasks.
Installing QEMU-KVM is just a matter of typing yum install libvirtd qemu-kvm bla bla bla, chkconfig libvirtd on and doing a system reboot (better safe than sorry).
The tricky part at least for me was setting up a damn bridged network interface, luckily I found this great writeup.
I am going to report here what I did to setup a couple of bridged network interfaces on my setup.

nginx and TLS v1.2

Sat, 10 Aug 2013 14:03:39 +0000

Given that SSL and TLS, especially v1.0, suffer from serious security issues (e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS) I thought it would be a good idea to use the latest and more secure version of it: v1.2.
On CentOS 6.4 the openssl version included is quite old and doesn’t support TLS v1.1 and 1.2.
So, first of all we have to install the latest version 1.0.1e, it can be done compiling from sources or by adding a third party repository; I chose the latter.

WordPress admin, SSL, Apache + nginx

Tue, 30 Jul 2013 15:49:37 +0000

Let’s say we have a WordPress blog and we would like to encrypt our login pages and the whole back-end of the site.
There are many ways to do it, but since I already have a nginx instance configured as reverse proxy running in front of Apache I’ll use it to protect my admin pages and logins.
In this page I’ll not cover Apache’s configuration, which, by the way, is trivial to say the least, so please refer to this other post: Apache + nginx as reverse proxy.
Using the configuration posted in the above’s link as starting point, to add SSL encryption to admin pages we should add a couple more bunch of lines of code.
First of all, we must create our own Certificate Authority and issue a SSL certificate.
Another option is buying a certificate, but I don’t trust CA (certificate forgery anyone?) and I don’t mind having a properly signed certificate for a page I am the only one accessing to.
Follows a brief explanation on how to create a CA and issue a certificate.

Linux Kernel 3.10 and VMware Workstation 9

Sat, 27 Jul 2013 14:11:04 +0000

A new Linux kernel version is released and guess what: VMware Workstation fucked up once again.
The fix posted on the Arch Linux wiki is applicable also to Fedora 19, I’ll post it here for future reference.

$ cd /tmp
$ curl -O http://pkgbuild.com/git/aur-mirror.git/plain/vmware-patch/vmblock-9.0.2-5.0.2-3.10.patch
$ curl -O http://pkgbuild.com/git/aur-mirror.git/plain/vmware-patch/vmnet-9.0.2-5.0.2-3.10.patch
$ cd /usr/lib/vmware/modules/source
# tar -xvf vmblock.tar
# tar -xvf vmnet.tar
# patch -p0 -i /tmp/vmblock-9.0.2-5.0.2-3.10.patch
# patch -p0 -i /tmp/vmnet-9.0.2-5.0.2-3.10.patch
# tar -cf vmblock.tar vmblock-only
# tar -cf vmnet.tar vmnet-only
# rm -r vmblock-only
# rm -r vmnet-only
# vmware-modconfig --console --install-all

For more information: https://wiki.archlinux.org/index.php/VMware#3.10_kernels

DeaDBeeF compiled from source

Thu, 04 Jul 2013 00:23:20 +0000

Yesterday was the big day, Fedora Schrödinger's Cat 19 stable release was released.
Since I had a free afternoon I decided to install it on my Thinkpad, and luckily everything was fine, even Anaconada installer issues with UMTS modules are gone, VMware Workstation 9.0.2 was working fine and so on.
The only issue I had was with DeaDBeeF audio player, I am using it from quite a long time and I like it a lot; too bad it’s not included in the default Fedora’s repos nor in the epel ones so every time I have to install it manually.
On the official site there’s no sign of an rpm built for Fedora 19 (ok, I understand it, it’s been released less than 48 hours ago) and I don’t seem to be able to install the one for Fedora 18, so I decided to compile it from source, and that was a PITA to say the least.
The README file included in the source code tar.gz archive is not of much help since, even with all the listed dependencies installed, after a good 2 o 3 minutes of compilation I got only an half working program which shows up properly but doesn’t play any kind of audio file.
Official documentation pages are also well hidden, but at least they are somewhat useful to compile the program so I guess it’s a good idea publicise them here.
Needed dependencies (rpmfusion free and non-free required) are:

Apache + nginx as reverse proxy

Fri, 21 Jun 2013 16:11:13 +0000

One of the things I was planning to do but never did is installing nginx as reverse proxy in front of Apache.
nginx is present in the epel repos for CentOS, so the installation process is just a matter of:

yum install nginx mysql mysql-server phpmyadmin httpd

wget -q -O - http://www.atomicorp.com/installers/atomic | sh

yum install mod_rpaf

mkdir /etc/nginx/v.hosts

vi /etc/nginx/nginx.con

http {
 include v.hosts/*.conf;
 include /etc/nginx/mime.types;
 default_type application/octet-stream;
 
 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 '$status $body_bytes_sent "$http_referer" '
 '"$http_user_agent" "$http_x_forwarded_for"';
 
 access_log /var/log/nginx/access.log main; 
 
 charset utf-8;
 keepalive_timeout 65;
 server_tokens off;
 sendfile on;
 tcp_nopush on;
 tcp_nodelay off;
 
# Default Server Block to catch undefined host names
# server {
# listen 80;
# server_name _; 
# root /usr/share/nginx/html;
# index index.html index.htm; }
}

/usr/sbin/nginx -t

 server {
 listen 80;
	 server_name nagg.eu;
 
 access_log off;
 error_log off;
 
 location / {
 proxy_pass http://127.0.0.1:8080;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header Host $host;
 proxy_redirect off;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_connect_timeout 90;
 proxy_send_timeout 90;
 proxy_read_timeout 90;
 client_max_body_size 10m;
 client_body_buffer_size 128k;
 proxy_buffer_size 4k;
 proxy_buffers 4 32k;
 proxy_busy_buffers_size 64k;
 }
 }

sudo /usr/sbin/nginx -t
service nginx restart

Wireshark as unprivileged user

Fri, 07 Jun 2013 01:22:27 +0000

Documentation on the Wireshark wiki seems to not be really up to date, or at least it’s not completely applicable to Fedora 18, so here is what I did to make it work.
After installing Wireshark (and its GUI) with the usual:

yum install wireshark-gnome

It should automatically create a group called wireshark and we are supposed to add our user (mafio in my case) to this group:

usermod -a -G wireshark mafio
newgrp wireshark ### used to force the new settings without having to logout/login

Then issue this last command:

OpenVPN server and CentOS

Sun, 19 May 2013 17:52:52 +0000

OpenVPN is the de facto standard VPN free open source software; it is widely used, tested, well documented and also included in the CentOS repos (EPEL).

.:. Server side configuration

yum install openvpn easy-rsa dnsmasq

When yum is done installing the required packages, copy the sample config file.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Uncomment/edit the following lines in /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
cipher AES-256-GCM
#comp-lzo # Disable LZO compression
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log # disable log, optional
;log-append openvpn.log # disable log, optional
user nobody
group nobody

Now, create two folders easy-rsa/keys in /etc/openvpn and copy some files into them:

Logitech G500 and Linux

Wed, 01 May 2013 15:10:47 +0000

Despite not being a gamer at all I see having a decent mouse as an important thing, I spend 10 to 15 hours a day in front of my PC and probably for at least half of the time I’m using the mouse, so I don’t get why I should not have the best input peripherals on the market.
My current mouse is a Logitech G500 (NP 910-001262), of course it being the best mouse on the market is an highly debatable thing since, along side with the keyboard, mouse choice is highly subjective.
G500 is something you love or you hate, starting from the unusual scroll wheel, going to the sensor position to the strange side buttons there are a lot of uncommon things.
This small write-up is not meant to be a review nor a guide, I would like it to be just a bunch of tips from someone who is using a G500 on a Linux box.
First of all: this mouse has no angle snapping, or better, out of the box angle snapping is enabled (Logitech, why? seriously, none like angle snapping) but it can be disabled from drivers.
Obviously drivers are available only for Windows (Logitech…) and I don’t seem to be able to change mouse settings from a virtual machine (VMware Workstation 9), anyway I didn’t put much time on this so it could be doable.
So what I suggest is plug G500 in a physical Windows machine, install drivers and tune the settings, once you are done, save settings on G500 internal memory and plug it in your Linux machine.
Once in Linux, which in my case is Fedora 18 and XFCE as DE, there are still acceleration issues which can be solved quite easily using xinput.
– Someone report that G500 sensor is flawed and it has some kind of built-in acceleration, honestly I don’t see it but could be that I’m just used to it –

XRDP and CentOS 6

Fri, 26 Apr 2013 14:30:32 +0000

Yesterday’s night I installed a test machine to play with KVM and some other stuff, obviously the OS of choice is the trusty CentOS.
I did a pretty minimal net-install but decided to install gnome desktop environment anyway because why not, not that it will be of much use, but still.
Anyway, since the machine is an headless server it’s mandatory to be able to control it remotely, like the past 2 or 3 times, I installed XRDP expecting everything will be fine and working without any problem.
And here is when I was wrong.
It’s been quite a long time since the last time I installed XRDP somewhere, but I clearly remember it working flawless without any kind of manual configuration.
I did the usual yum install xrdp, confirm the installation, bla bla bla, service xrdp start and both sesman and xrdp started with no problem.
Then, when I went back to my workstation (Fedora 18 x64) and tried to connect to the server using Remmina Remote Desktop Client at first it seems to be working but once I typed user ID, password and press OK I got prompted the following error:

Linux Kernel 3.8.* – VMware failed to build vmci

Sun, 03 Mar 2013 15:59:47 +0000

Every time a new Kernel goes out there seems to be a new issue with VMware Workstation 9.
Today I updated a couple of Fedora 18 boxes, applied the usual workaround (I wrote a post about it one month ago or so) which consists in ONE OF the following steps:

ln -s /usr/src/kernels/_kernel_version_/include/generated/uapi/linux/version.h /usr/src/kernels/_kernel_version_/include/linux/version.h
### OR
cp /usr/src/kernels/_kernel_version_/include/generated/uapi/linux/version.h /lib/modules/_kernel_version_/build/include/linux/

Rebooted and then issued the usual command (vmware-modconfig –console –install-all) to rebuild the needed VMware modules just to find out that it isn’t possible to rebuild the VMCI module.
On the VMware official forum I found a thread (http://communities.vmware.com/message/2182440#2182440) in which a user provides a patch.
Apply the patch is fairly simple:

Fedora 18: TRIM and luks

Fri, 01 Mar 2013 23:44:42 +0000

At a first glance enabling TRIM on a luks encrypted volume looks quite easy, and, as a matter of a fact it is.
The shitstorm starts when trying to enable TRIM on the root volume, but, let’s go one step at a time.

First of all, enabling trim on a regular not encrypted volume is pretty easy; just open the file /etc/fstab and add the flag discard.
You may also want to add the flag noatime to prevent the OS from writing additional informations regarding last access date and such, it’s not strictly necessary but it will save the SSD’s cells some useless write operations.
The fstab file should look like this (here only one row is reported):

File search in Thunar

Wed, 20 Feb 2013 23:44:40 +0000

Thunar 1.6.2 (the default XFCE file manager) doesn’t seems to provide any kind of built in search function by default.
A good way to address this issue is use catfish (which is installed by default in Fedora 18), just open Thunar, go to Edit and then Custom Actions and add the following line: catfish –fileman=thunar –hidden –path=%f

Samba 4, simple directory sharing

Sat, 19 Jan 2013 17:23:11 +0000

With Samba being the clusterfuck it is, every time a new version is released you have to expect something to be messed up.
This time they added a bunch of new features like MS Active Directory support, too bad that now the simple directory sharing is broken/not working like it did before.
Something like 1 year ago I wrote a small guide about how to setup a Samba share on Centos 6 and I used the same smb.conf file on more than 10 machines without any problem since yesterday, when I tried it on my fresh installed Fedora 18 (which uses Samba 4.0.0). First of all, in the “Standalone Server Options” is reported that “security” options “share and server” are deprecated; too bad I just used “share” to save me the hassle of setting up a new user and stuff even if I would like the directory to be fully accessible by everyone without any restriction.
I tried it anyway with “security = share” but there was no way to make the folder accessible, when trying to access the Samba share I always got a popup in which I had to login.
So, at the end of the story, like it or not, I had to setup a new user, create a samba user and edit the “smb.conf” file.

Fedora 18 and VMware Workstation 9

Thu, 17 Jan 2013 22:51:37 +0000

During the installation process of VMware Workstation 9 some modules need to be compiled but unfortunately Workstation 9.0.1 doesn’t seems to be able to find by itself the correct kernel headers directory.
If kernel headers aren’t already installed, open the terminal and type as root: yum install kernel-*.
Wait for the process to be completed and then: sudo cp /usr/src/kernels/kernel_version.fc18.x86_64/include/generated/uapi/linux/version.h /lib/modules/kernel_version.fc18.x86_64/build/include/linux/.
This should do the trick.

Thunar file manager slow to start

Sun, 06 Jan 2013 13:23:51 +0000

The first time I open Thunar (the default XFCE file manager) in fedora 17 it takes up to 30 seconds to show up.
This is most likely due to Thunar trying – without being able – to mount a remote network folder, to solve the issue just open /usr/share/gvfs/mounts/network.mount and set AutoMount=false.

Thinkpad E320 and Fedora 17

Tue, 18 Dec 2012 21:05:21 +0000

First of all, forget everything about the myth: Loonix, it just werks. Close to nothing werks out of the box, tho with a good amount of patience and a bit of tinkering there are good chances to make the whole thing working in a decent manner.
First of all, the box I’ve here is a Thinkpad Edge 320 – 12983RG and I’ve installed Fedora 17 x64 with XFCE as DE.
It comes with the integrated Intel HD3000, no discrete graphic card and UMTS module (I didn’t tested if it’s working or not).

Beyerdynamic DT-770 PRO

Wed, 07 Nov 2012 23:16:44 +0000

I still can’t believe I finally made it, I quite lost the count of the times I told myself I have to buy a damn pair of headphones but I never actually did it.
Finally, after my usual one year or so of digging through specialized forums and stuff, 2 weeks ago, I bought my first pair of decent headphones.

First place 3rd stage Hwbot “October rush”

Fri, 19 Oct 2012 13:47:10 +0000

This month Hwbot.org’s competition is called October rush, it consists in 7 or 8 stages each one lasting only three days.
Because of my last year or so in which I was close to completely inactive I don’t have anymore much hardware, one of the few things I still have is my socket 939 setup and a bunch of single core A64 CPUs.
The third stage of the competition was 3DMark 01 with the limitation of using a socket 939 CPU, which is exactly what I have.

FX-55 Clalwhammer and LN2

Mon, 10 Sep 2012 10:03:47 +0000

Two weeks ago I gave my golden FX-55 Clalwhammer a run at LN2 but looks like I’ve not yet blogged about it; let’s do it then.
Since the first try using the single stage the CPU proved to be a good one but being a 130 nm voltage whore didn’t made the pretesting easy.
With the help of LN2 everything became easier and luckily the CPU loves volt and cold (the below result was made with a CPU temperature of around -100° C).

VMware vSphere ESXi license

Mon, 03 Sep 2012 22:28:59 +0000

I’m not so used to ESXi, it’s been a while since the last time I installed it and when today I had to do it I forgot where I have to put the damn license.
VMware did a very good job hiding the menu and the official site is good at everything but giving useful informations, so after a while I found by myself where the license page was.
Guess I should post the procedure here for future reference.

A question of reliability – 2.0

Sun, 02 Sep 2012 21:33:16 +0000

Lately I had an interesting debate with a friend of mine, he works for a small company which works in the IT field.
For obvious reason I will not write the name of the company nor who my friend is, anyway, what they do is the classical technical service and maintenance, servers machine deployment, system administration and so on.
These days everyone needs some kind of IT Infrastructure, everyone needs an ERP system, etc etc; obviously they have quite a lot of work with small/medium business companies.
Close to every machine they sell (except the classic desktop PCs) have a RAID; obviously I second that having a RAID is a must-have in every machine used for enterprise tasks but I also argue that there is RAID and RAID.
Many of the HDDs they use are going into NAS or low level server machine, to keep the price low and don’t have to add an external RAID controller the HDDs need to be SATA.
Nothing wrong with using SATA drives, but similarly as what can be said for RAIDs we can say that there is disk and disk.
For instance, if looking at the Western Digital HDDs lineup, it’s clear that they have two completely different series: the desktop one and the enterprise one.
These drives have different firmwares, different warranty policies and different error handling capabilities; so, another time, if the drive is going to be part of a RAID it’s very advisable to pick one of the enterprise series (Red, RAID edition or Velociraptor) because they are meant to be capable of working non-stop 24/7, they have 5 years warranty, they have a better error handling and on top they support TLER.
So, how people who are supposed to know what they are doing sell NAS with Caviar Blue HDDs instead of Caviar Red/RE? Why they don’t know what TLER is? Why they keep using RAID-5 when everyone know it’s crap?
My friend said they have more than 250 machines build with consumer desktop drives configured in RAID and so far they are having no problem; what they are failing to realize is that sooner or later the crap they are selling will explode under their chairs.
The whole internet is full of people complaining about consumer disks with not TREL support being dropped from RAIDs, same can be said for RAID-5 in which a second disk fails during the array rebuilding.
They remind me of the retards which use 4 HDDs in RAID-1 thinking that this way their data are safe, probably they don’t know that RAID is not a backup and that a broken controller or a much simpler file system corruption could possibly make their 4 disks mirror completely useless.
Well, guess sooner or later they will learn it the hard way…

Execution time :: C & Win

Sun, 05 Aug 2012 11:14:18 +0000

Once in a while I happen to have to know how much time a certain function needs to be executed.
While many programming languages have built in functions (time in Python, System.nanoTime() in Java and so on) to get this information, C doesn’t appear to have one.
There is timec.h but it appears to be quite inaccurate, so if extremely high accuracy is needed we have to rely on something else; the downside is that these much more reliable libraries are not platform independent.
For Windows platform Microsoft suggests to use QueryPerformanceFrequency method and so I did.
Digging through Google I found a post in which a guy posted some C++ code he used to query system time, I’ve adapted it and used it in my program.
For future reference I’m going to post it here.

Nerd gonna nerd

Sat, 04 Aug 2012 20:27:39 +0000

Today officially started my summer holiday, 5 days ago I had my last exam at university and now finally I’ve the time to do all the things I can’t find the time to do the rest of the year.
The majority of the people on earth awaits the summer holiday to completely stop doing what they do the entire year, pack things up and go away from home for as much as they can.
On the contrary, I like what I do the entire year and I don’t feel the need of doing something else; I just want to have the time to play with computer in a different way of what I have to do for university.
While everyone is thinking about sea, mountain, sports, etc etc I think what kind of program I may develop, what system I would like to build and so on.
This year my summer holiday is two weeks in Livigno; as usual I could not resist to get with me my laptop (actually there are two, mine and my father one’s) and a bunch of other hi-tech stuff.
So, this is what my setup will look like for the next two weeks:

Major upgrade

Fri, 20 Jul 2012 16:42:23 +0000

OK, not exactly an upgrade, but still an improvement over my precedent configuration.
You have to know that I used for a long time – years – a dual monitor configuration, something like 6 months ago one of the two monitors went nut and I had to replace it.
Obviously it was already discontinued by some time so I had to replace both my monitors, I decided to buy a single Dell U2412M (here is the post I wrote).
Nothing to complain about the monitor itself, also, I’ve no problem to say that so far it is one of the best purchases I ever did; the problem is that one monitor can be as big as you want but two smaller monitor are always better than one.
Explain why two smaller monitors are always better than a bigger one isn’t simple at all, but trust me, everyone who have used at least one time a multiple monitor configuration will be of the same thinking.
So today, after had used for 6 months or so a single monitor I bought another one; Below you can see a photo.

My daily dose of anti-apple

Mon, 25 Jun 2012 21:01:44 +0000

Today I had the bad luck to have to deal with a damn Macbook Pro on which I need to install a retarded software (IBM Rational Software Architect).
Despite RSA becoming one of the worst piece of crapware I’ve ever seen this time it wasn’t the problem.
The Macbook was one of the latest model, a 13″ one equipped with a Core i5 Sandy Bridge CPU and an awesome a certain amount of GB 5400 RPM hard disk drive…everything sold at the fair price of 1200 or so €.
As long as you use it just for what close to every Apple user use it – going on Facebook, synchronizing music tracks on an IPod and iCloud – everything is fine (tho, you can do these things with every PC/MAC/whatever-you-want not older than 6 or 7 years).
Anyway, if you happen to be one of those bunch of unlucky people on earth who pretend to use it for something different you will quickly face with the complete inability of this, I repeat, 1200 € worth machine, to provide, at least decent performances.
Starting from the point that many programs (like RSA) don’t exist for OSX you have to virtualize a Windows or Linux OS, and here comes the problem.
The 5400 RPM HDD is so crappy that when you fire up the virtual machine everything slow down to a level similar to a 10 years old PC with a P4 Willamette and a 20 GB PATA HDD.
I really don’t get why people keep buying those completely overpriced piece of garbage apple is selling; this Macbook Pro hardware wise is very similar to my Thinkpad but it costs much more (something like +80/90% over the price of the Thinkpad), is way slower, have an higher weight and miss some important features (like external battery, UMTS module, matte display, trackpad, etc etc).
Keep up the good work apple…

My new love: Python

Fri, 25 May 2012 17:32:30 +0000

Past Friday’s afternoon, around 3 pm, I was at university, specifically I was in one of the libraries and I was reading a book titled Concurrency; it’s about engineering concurrent systems using the modelling software LTSA and then write the actual program in Java.
While reading I was also talking with two friends of mine about a problem another friend found on a book; to make a long story short, the problem was about balancing a predefined non-balanced random function.
One of these two friends showed us how he solved the problem, the algorithm he wrote was written in Python.
When some hours later I was back home I did thought it was finally the time to install a Python interpreter and start playing with it. So I did it.
I got myself the latest release of Python interpreter and the Pydev plugin for Eclipse IDE, installation and configuration on Windows is incredibly straight forward, just a matter of pressing install and next 2 or 3 times.
I don’t have any Python book then as first programming guide I used the well known (at least here in Italy) html.it site, if you are not Italian just google Python and you will find a huge amount of interesting PDFs and guides of any kind.
After had digged trough the html.it Python guide in a bunch of hours (guess not more than 2 or 3) I felt myself just like the guy in this comics:

AMD and LN2

Sat, 28 Apr 2012 15:57:58 +0000

Yesterday’s afternoon and today I had a LN2 trip with two AMD setup.
I was aiming to break the 7 GHz wall with the trusty Phenom II 955 B.E. and improve my precedent results on socket 939 with the Opteron 148.
I failed in reaching 7 GHz with the 955, tho I managed to improve just a little bit my Super-pi 1M score…still not satisfied with it but it is better than nothing.
Also got the time to play with UCbench in which I got quite easily the first place on the bot in the 955 B.E. category.

Opteron 148 and 32M, lot of…time

Fri, 27 Apr 2012 10:41:10 +0000

What is the best way to kill time when you have close to nothing to do ?
Easy, run Super-pi 32M using an CPU which takes more than 20 minutes to complete each run…so I did it and killed with easy 8+ hours trying to pull, tho without success, a sub 21 min 32M run with my trusty Opteron 148.
Anyway, the result is still kinda worth to be posted here.

Crucial M4, new FW released

Thu, 12 Apr 2012 12:49:02 +0000

Yesterday Crucial released a new firmware for its M4 SSD series, the new version (codename 000F) is supposed to address some issues which used to appear when using the SSD connected to certain SATA/SAS controllers and generally improve stability and reliability.
Changes between version 0309 and 000F include the following changes:

Opteron 148 and LN2

Sun, 08 Apr 2012 10:15:45 +0000

Ten days ago I had an LN2 session together with this Opteron 148; finally today I’ve the time to write a post here and talk about that.

.:. SETUP:
CPU: Opteron 148 cabrio @1.5*123% volt – CABYE 0536GPMW
cooling: Guglio’s CPU pot 2.0 (CPU) and 1.0 (RAM)
MB: DFI nForce 4 Ultra-D – bios 623-2
RAM: Corsair PC3500C2 2×256 MB :: Winbond BH-5 – yellow slots
VGA: nvidia 6200 LE 256 MB PCI-E
HDD: Kingston SSDnow 60 GB sata2
PSU: PCP&C 1200
OS: 2k3 server TW

Opteron 148 meet Super-PI 32M

Sat, 24 Mar 2012 16:10:48 +0000

This is the moment we are all waiting for (ok, maybe not really everyone 😀 ).
Anyway, after approximately 10 hours of tweaking I came up with a quite interesting result.

.:. SETUP:
CPU: Opteron 148 cabrio @ 325×10.5 1.5*123 volt – CABYE 0536GPMW
cooling: Single Stage phase change
MB: DFI nForce 4 Ultra-D – bios 623-2
RAM: Corsair PC3500C2 2×256 MB @ 260 MHz 1.5-2-2-3 1t 3.7 volt:: Winbond BH-5 – yellow slots
VGA: nvidia 6200 LE 256 MB PCI-E
HDD: Kingston SSDnow 60 GB sata2
PSU: PCP&C 1200
OS: 2k3 server TW

AMD Socket 939 revival

Sat, 17 Mar 2012 11:20:15 +0000

Two weeks ago or so I bought a DFI nForce 4 Ultra-D, when it was here I had some fun playing with an old Athlon 64 3000+ core Winchester and some crappy DDR modules.
I had also a bunch of Winbond BH-5 kits, too bad they are all dead or semi-dead, so I had to stick with a kit of Micron value PC2700 cas 2.5.
Luckily a friend of mine was so glad to send me a kit of Corsair PC3500 cas 2 BH-5, so in the next few days I will have a decent kit of RAM to play with super-pi.
Other than this, 1 week ago I bought an Opteron 148 for 8.49 € plus 1.50 € of shipping cost, yesterday it arrived.
At a first try it was good for 3200+ MHz aircooled, so definetly deserves a try at lower temperature.

Dell U2412M – 24″ 16:10 IPS panel

Wed, 15 Feb 2012 21:36:31 +0000

As you can see, it’s quite a long time since my last overclocking related post here.
Even the one I’m writing now is not about overclocking, nothing of the latest hardware is interesting at all, so I don’t really bother go out and buy something.
When nothing interesting is on the market the things I do is: upgrade the daily use rig.
I’m not one of those interested in uber dupah performance, I’m alot more focused on reliability, so I never use the latest stuff for my DU rig…better to have 20 % less of performance but well tested and widely used components.
Because of what I wrote before, 1 week ago I bought a new monitor, a Dell U2412M.

Samba server on CentOS 6.2

Thu, 02 Feb 2012 20:20:21 +0000

Think I never mentioned it but I have a small home server, it was built with a c2d E6600, an Intel G965 mobo and some HDDs.
Since 2 weeks ago I was using Ubuntu then I decided it was time to try something better and more challenging than Ubuntu, my choice was CentOS.
Why use CentOS ? Because it’s one of the best enterprise class distro with 7 years support and have a good ammount of interesting features like services GUI manager and iptables GUI.
I don’t consider myself a Unix pro nor a noob but I’ve to say that the first touch with this distro wasn’t the best.
In fact I had lots of trouble trying to install CentOS from USB drive, after had lost 1 hour or so I took a DVD drive, burned the ISO on a DVD and installed from it.
When finally I was able to get into the OS the first thing I did was installing XRDP to remote control the machine from one of my other PCs.
I also installed Transmission torrent client, added some iptables rules and did some other things.
Everything was quite easy except the installation and configuration of Samba server, to be honest I didn’t remember well what I did to make it works on Ubuntu but here on CentOS it gave me some troubles.
Google this time wasn’t that helpful, there aren’t much info or guides about Samba on CentOS, so I think I should write here how I made it works.
First of all, we have to install Samba, open the terminal, get admin privileges and type: <pre name=“code” class"ruby"> yum install samba

Intel Rapid Storage and SSD

Wed, 01 Feb 2012 18:04:42 +0000

Today I happen to read somewhere about Intel Rapid Storage and SSD performance.
Well, I thought I had already installed it on my notebook but it seems I was wrong, so I did a quick google reserarch and downloaded the software from the Intel site.
Someone says this software boosts SSD performance, so I did the usual ATTO benchmark to have a previous / after comparison.

Crucial M4 – FW 0309

Sat, 14 Jan 2012 09:42:42 +0000

Yesterday Crucial released a new firmware for the whole M4 SSD lineup, the update over 0009 version was needed because of the so called 5200 hours bug.
Basicly, every M4 after a power on time of 5200 hours or so will start to hung every hour, this is because something is messed up with the SMART data.
This new firmware resolve this bug.
Yesterday’s evening I’ve upgraded at this new version of the firmware the M4-128GB I’ve in my Thinkpad.
Crucial doesn’t provide an update tool different from an ISO image to be burned on a CD but I’ve no DVD drive in my laptop.
So I dusted of UNetbootin and created a bootable USB drive with the update tool inside.
Then normally booted up from USB and followed the how to flash guide Crucial provide on its site.
There was no need to set SATA controller in IDE mode, I’ve performed the update while in AHCI mode without any kind of issue.

8 GHZ the hard way

Thu, 12 Jan 2012 13:35:18 +0000

After the epic fail experience with Faildozer I dediced to use the latest litres of LN2 to freeze the P4 631 I had laying on the desk for some time.
Honestly I didn’t expected to get such high clock.

SETUP:
CPU: Pentium 4 631 – VCORE 1.95 volt – VTT 1.5 – VPLL 1.6
cooling: Guglio’s CPU pot rev 2.0
MB: Rampage Extreme
RAM: Crucial PC3-12800 D9-GTS – 1.9 volt – white slot
VGA: nvidia 6200 LE 256 MB PCI-E
HDD: seagate 7200.10 160 GB sata
PSU: PCP&C 1200
OS: 2k3 server

CVF, FX-4100, Hypers and LN2

Tue, 10 Jan 2012 22:02:57 +0000

Last friday and saturday I had a 2 day LN2 trip with the CVF and my FX-4100 crap CPU.
Results were not good due to the crappy CPU but at least I had fun pushing the setup at its limit.
I only had time to test max frequency and do some super-pi 32M, then the CPU died.

SETUP:
CPU: FX-4100 – vcore 2.05 volt, vmch 1.65 volt
cooling: Guglio’s CPU pot rev 2.0
MB: Crosshair V Formula – bios 1003
RAM: G.Skill RipjawX 2133C8 – Elpida MNH-E-Hyper – 1.9 volt – red slots
VGA: nvidia 6200 LE 256 MB PCI-E
HDD: seagate 7200.10 160 GB sata
PSU: PCP&C 1200
OS: Win XP sp3 & 2k3 server TW

CVF, FX-4100, Hypers and lots of fun

Mon, 02 Jan 2012 18:32:41 +0000

I couldn’t resist, I’ve picked up a CVF to replace the crappy MSI 990FX.
Today I had the time to do some tests along with a set of G.Skill 2133c8 and an FX-4100.

_CPU: FX-4100 (later I will write down the batch) – vcore 1.5 volt, vmch 1.65 volt
cooling: single stage on CPU, everything else air cooled
MB: Crosshair V Formula – bios 1003
RAM: G.Skill RipjawX 2133C8 – Elpida MNH-E-Hyper – 1.9 volt – red slots
VGA: nvidia 6200 LE 256 MB PCI-E
HDD: seagate 7200.10 160 GB
PSU: PCP&C 1200 _

2012, here we are…

Sun, 01 Jan 2012 22:12:32 +0000

With some hours of delay I’m here writing a post about past year, new year, what I did and what I will do.
University in the past year went quite well, I also had the most importart thing: the healt; so really, I’ve nothing to complain about.
My usual Christmas trip ended just a bunch of hours ago, now I’m back at home with some new toys to play with.
I just love to go away the week across Christmas and Sylvester’s day, this way I don’t have the problem to go buy presents, I’ve not the problem to decide what to do the last night of the year.
I just know these days I will be away from home and it makes me feel so relaxed.
Doing presents is something I really don’t understand, I’m used to go out and buy whatever I need, probably I’m lucky, but I already have what I want.
Starting from that point, whatever present someone will give me will be something I don’t need, just think how much stuff you have in your house that you never use and you have just because someone give it to you; if someone is importart for me he will still be it even if he didn’t gave me a present on my birthday or Christmas.
Coming to the present I gave to myself, it is an ASUS Crosshair V Formula; after 3 dead MSI I decided it was time to buy something well know for being good.

no questions, X58 Classified rocks

Sun, 18 Dec 2011 00:01:02 +0000

After quite long time away from overclock due to the fact that the current generation hardware looks quite crappy and every other things I have except the trusty 1366 setup is dead or half dead I decided to forget performance and every other thing, go back 6 months and play with the i7-950 togheter with THE MOTHERBOARD, also known as EVGA X58 SLI Classified E760, and my favourite Elpida Hyper kit when low frequency and tight timings are required, the Super Talent Chrome 2000 cas8.

AMD Faildozer…errr…Bulldozer

Thu, 08 Dec 2011 11:42:56 +0000

Even if the new AMD Bulldozer CPUs are crap I had an FX-4100 on the desk for 1 month or so, finally 2 days ago I had my 3rd MSI 990FXA-GD80 (the precedent two died cause MSI is a dumbass company that is not able to pull out a working bios).
This third board came with an old 11.2 bios that doesn’t support Bulldozer CPUs, so I had to plug in a Deneb chip and flash another bios to be finally able to play with my new CPU.
The first bios I tried was the last one, 11.6, and well, it’s crap.
When having OC fail the bios corrupt itself so when you press del during post to enter the bios it works for 2 or 3 seconds and then freeze.
At least it’s still possible to reflash it, so till the next OC fail the mobo will work normally.
11.5 was even worse, it killed one of my precedent mobo, so better to don’t retry it.
11.4 seems the best so far, but still have corruption issues, in fact 1 hour ago, after 3 or 4 hours of usage, it killed my third board.
11.7 is on the MSI site, but I can’t try it cause the mobo is gone.
11.0, 11.1 and 11.2 don’t support Bulldozer CPUs.
So, if you plan to use a Bulldozer chip better to buy something else cause MSI is not able to make a properly working bios.
If you use a Deneb/Thuban stick with the 11.2 that so far is the best and as long as I know have not curruption issues.
I don’t wanna see this mobo anymore, will see if the retailer will be so willing to give me something else instead of this piece of crap.
They don’t have C5F, so probably I will go for Gigabyte 990FXA-UD5 hoping it’s at least a bit better than this MSI.

Lenovo Thinkpad E320 + Crucial M4-128

Wed, 30 Nov 2011 23:36:09 +0000

Finally the SSD I bought 2 weeks ago has arrived, it’s a Crucial M4 128 GB already equipped with the 0009 firmware.
The biggest problem I had to face when installing it was the thickness of the SSD, the notebook just supports 0.7 cm hard disk but the SSD is 0.9 cm thick.
After some thinking I came up at an end: there is no way to put it inside the notebook with its damn metallic case.
So, I took the circuit out of its metallic case and just put it inside the notebook.
To hold it in the right position I had to use a thin foil of neoprene.

A new – REAL – mobile device

Mon, 31 Oct 2011 10:20:14 +0000

After one year or so without a notebook I decide the time to buy a new one is arrived.
I’ve to say that I didn’t remember how difficult is to find a decent laptop, 99.999999 % of them are crap.
Quite everyone have a damn glossy monitor, a completly useless DVD drive (good only to make the weight grow) and no E-Sata port.
Other than that you can add that 85 % of them are also made with very poor materials, superthin plastic case and a very annoying flexible keyboard.
After some days of googling I came up on the Lenovo site, the site itself could be better but their notebooks are exactly what I’m looking for.
The name is different, Lenovo instead of IBM, but building quality is still exactly the same.
So I bought a Lenovo Thinkpad E320, a nice 650 € 13″ machine equiped with Sandy Bridge i3-2310M, 7200 rpm HDD, 4 GB of DDR3, E-Sata, 3 USB 2.0, UMTS module, matt display and 6 cell battery.
This is it:

A new DUD Bitch in da house

Thu, 20 Oct 2011 20:39:15 +0000

– updated on 22.10.2010 –

I think the title is self-explicative…I got a new 2600K and just like the precedent ones it’s a piece of crap.
The only ‘interesting’ thing is that this is a quite rare CPU, in fact it comes from Costa Rica plants.
It max out at the poor frequency of 5460 MHz, just a bunch of MHz higher than my precedent CPU.

I am out, that’s my choice

Sun, 02 Oct 2011 10:04:31 +0000

I am not so good in this kind of things, so I will be as short as possible.
After a careful consideration I decided to leave my role on HwProject.net and also leave the HwBot team, the only reason of my choice – and I would like to remark that this is ONLY MY choice – is because I need more freedom to say, write and do what I want without constantly having a big stone over my head that is only waiting to fall down and kill me.
While not having anymore any role on that site I will keep posting as simple user and I will continue to bench with my fellows overclocker.
As last thing I would like to remark that from today everything I will say, write and do will be just my thoughts, so if you have something to tell me write an e-mail or a PVT on xs, HwBot or HwProject.
Avoid to call frank or everyone else to ask for my telephone number because none will give it to you.

Gigabyte sucks, that’s why

Mon, 26 Sep 2011 13:25:34 +0000

Nothing new to test, no exams at university, no news about bulldozer…so today I would like to talk about Gigabyte.
In the last years I had lots of these overpriced piece of crap.
The only one that was worth to be bought was the P35-DS4, after than this I had only a bunch of piece of crap.
EP45-Extreme – had 3 of these – the first one arrived borked and never worked like it should do (especially considering it was 250 €), the second one after 4 months started to act weird, refuse to post with 4 DIMMs installed, then worked only with a set of Cellshock and finally died.
Had to RMA it, after the usual month, I had the replacement, put it in a case and after 4 months did exactly the same as the precedent one.
After sending it to Gigabyte I had to wait 2 months and half to get back the same board with a paper where they say that this piece of crap worked well.
I asked what kind of RAM they used but nothing, they didn’t reply my e-mail.
After had sent some more e-mails I was contacted by the local Gigabyte PR, he told me to go at a local shop and ask them to try my board and write somewhere that they certificate that the board doesn’t work…ya, sure, they will do this for me, especially for free…
I already wasted my money for the first RMA, I told them that I didn’t wanna waste no more but they kept bullshitting me.
They also told me that if I want they can pick up the board and send it to someone that could repair it, but this isn’t for free and I will have to pay the expense.
To sum it up: I sent them the board, after 2 month I had it back but it doesn’t worked properly, so I sent it to them for the second time and this time they said the fucking board was working correctly.
After this someone contacted me and told me probably they could repair the board but I had to pay for it…
That day I told myself that this would have been my last Gigabyte.
For the next 2 years I didn’t touched none of them, but when Sandy-Whore hitted the shelf I was forced to buy a Giga because they were the only one good for 3dmark 01.
I bought 2 Gigabyte, P67A-UD4 and later an UD5, and this was a BIG mistake.
The first UD4 arrived borked, VCORE different from AUTO and the mobo didn’t post…WTF, another DOA piece of crap.
RMA it and after 2 months I had a new one, this time at least I can change voltages…but…Elpida Hyper RAMs didn’t work well and can’t boot at high BCLK…and today, 26-09-2011 the situation is still the same because in Gigabyte they are lazy and doesn’t support their overpriced piece of crap.
Then I bought the UD5, same shit as UD4 but higher price…well played Giga…
I sold both these piece of crap and bought an EVGA, that is working ALOT better.
But there’s more, a bunch of months ago I recieved a Gigabyte g1.assassin, a 450 € uber high end mobo designed specifically for gamers – I have to argue even on that because a real gamer doesn’t looks at graphic details –
By the way, this beast arrived, I paired it with my i7-950 and one of my triple channel Elpida Hyper kit but after a bunch of minutes I found out that all my high end DDR3 kits refuse to work properly over 1700 MHz.
I also noticed that there was only a single LAN port managed by KillerNIC and that was a very bad choice because this thing is well known for its slow data transfer rate and its high CPU usage even if compared with the cheapo Realtek every other mainboard have.
I did my tests and wrote the review but when was the time to publish it the guys of Gigabyte HQ in Taiwan said that we wrote bullshits, that their KillerNIC wasn’t a piece of crap like everyone know and that they managed to run the memory at the astonishing frequency of 1900 MHz – that is well below the rated speed of my kits specifically built for Intel 1366 platform –
So, beware because I’ve the feeling they do this way with alot of reviewers, if you write what they like to read it’s ok, if you didn’t then you are not allowed to publish the review.
Moral of the story: keep yourself as far as possible from Gigabyte crap.

Today is a good day

Tue, 13 Sep 2011 17:49:38 +0000

Yeah, today is a good day, I woke up at 10 am, messed around for 2 hours and then had lunch.
After lunch at 1 pm I had my 30 minutes of sports at TV and then went back to my PC and…and…that’s what I saw:

HwBot.org link

First thing I though was: WTF is that? another dumb fake result…
But when I saw who is the guy that posted I IMMEDIATELY changed my mind, this wasn’t a fake, the guy is Macci, an overclocking legend who is working for AMD from many years.
That’s a BIG news for us, 8.4 GHz with a B2 step ES CPU is something way way better than what I expected.
8.4 GHz at liquid elium will likely be something around 8 GHz at LN2 and around 7.6/7.7 GHz for the single thread benchmarks.
Now, with all the fucktard limitations SandyBitch crap have and SandyBitch-E crap will have I’m starting to think that finally AMD can have a CPU to compete in the extreme overclocking world.
If the IPC of these new BD is 15/20% better than thuban/deneb stuff these CPUs will spank Intel really hard especially looking at how low priced this stuff is and how high priced the Intel crap is.
I will buy some of these CPU at the day one, that’s for sure

New nerdy stuff…woot

Sun, 14 Aug 2011 18:22:23 +0000

Beside my latest AMD addiction I’m still thinking about getting my Sandy Bridge stuff working properly.
Three weeks ago I bought an EVGA P67 SLI, I had a BIG hope on this mobo and after some testing I finally can say that I found a decent mobo for Sandy.
This one boots straight at high BCLK, is quite solid and at least as fast as the Gigacraps I had before, now I’ve only to find a decent CPU.
Elpida Hypers are still making trouble with 32M, but nothing is perfect, so…take what you have and be happy with it.
Last week I bought a kit of G.Skill RipjawX pc17000 cas 8 assuming to get an Elpida BBSE kit and finally get that damn 32M running, but even this time I failed.
They came with a nice 8 layer green PCB, blue heatsink and a fancy RAM cooler but looking at the fourth picture below it’s clear they aren’t BBSE…the chips have blunt corners and this means only one thing: Elpida Hypers.
Like I expected they are a no go for super-pi 32M, but they shine for 3ds, so I’m quite satisfied.

AMD 955 @ 6960 MHz :: round 2

Sat, 06 Aug 2011 10:30:18 +0000

I’m not having great luck with sandy’s CPU, so, when I saw this stuff on sale in a local online shop I tought: why not ?
Last weekend I had a long LN2 session but due to moisture and other issues I cannot managed to push this setup to its limit.
So, today I went to the LN2 dealer and refilled the dewar, go back home, had lunch and then start clocking.

AMD 955 is on fire :: round 1

Mon, 01 Aug 2011 08:05:29 +0000

After the small prologue of 3 weeks ago, here is the first round with my new uber cheapo and uber flucking crazy AMD stuff.
Past weekend I and my HwProject.net fellows had 48 hours no stop benching.
While they were focused on their HD5870 lightning + Sandy rig I was testing my new AMD stuff (much more fun than Sandy TBH).
Despite the huge amount of time wasted cause of the ice and moisture I managed to get some good results too, and if the HD with 2k3 server wouldn’t had decided to die there would have been something more…

HwBot’s Geil Contest & AMD 955 B.E. first touch

Fri, 15 Jul 2011 08:14:18 +0000

Exams at university are gone, HwBot this month host the interesting Geil contest, so here I’m with the trusty 920 and EVGA E760.
To be honest the idea was to play with my new MSI 990FXA-GD80 and Phenom II 955 B.E. – bought them, not press samples for review or so – but the lack of decent BIOS for the mobo made me change the plan and give priority to the contest.
The 2 Sandy Bitch stages don’t attract me so much, but the Intel 1366 one is another story, I’m a big fan of this stuff, so I joined the game.

Da Bitch really pissed me off

Sat, 25 Jun 2011 16:55:22 +0000

Today I’m NOT gonna write the usual report of an overclocking session or write about the latest nerdy thing that I play with.
That’s kinda different, the purpose of this write-up is basicly answer to a simple question: why Intel 1155 stuff sucks that badly?
Many people probably aren’t of the same thinking but I’m quite confortable to say that this latest Intel platform is a HUGE EPIC FAIL.
The last medium range Intel platform that was really worth to play with was P35, socket LGA 775; back in those good days I had some really great board that i still have and still running smoothly.
Those boards had a good price / performance ratio and were really reliable for both daily use and benchmarking – on top of my favourite list there are: GA-P35-DS4 and DFI UT P35-T2R.
After than those p35 boards we have had nothing but CRAP in the mid range or UBER high end stuff with crazy HIGH PRICES and SOMETIME good performance and reliability.
Sometime because unluckily paying a shitload of cash doesn’t assure you to get something good, something that work like stated in the PR slide for press guys, something that works like reviewers say, etc etc.

Bitch, GTX280, HD4890 and lots of – 3d – fun

Tue, 24 May 2011 14:22:40 +0000

Last weekend me, 7ornado and TheKing met in Castagnito (near Asti, Italy), we had some stuff to test and lots of LN2.
My objectives were to improve my AM3 score with GTX 280 and do a good 3Dmark 01 with a new HD4890.
As always we had a lot of fun and I also managed to pull out some good results.

Config:

_i7-2600K # L044B675
Gigabyte P67A-UD4-B3 – bios F3
KHX 2k cas8 MGH-E-Hyper
PCP&C 1200 Watt
GTX 280 :: VGPU and CAPs mod || crazy reference HD4890 blue PCB :: no mods needed
Maxtor DMAX 200 GB sata
XP sp3 _

Having fun with Sandy, 3Dmark 01 & AM3 inside

Sun, 08 May 2011 16:53:22 +0000

Past friday I finally get some LN2 and did a 3 hours bench session in the afternoon.
This time I was focused on 3Dmark 01 and Aquamark 3 with the trusty – and also crappy – GTX 280.
Have to say that this time even with a not that good CPU and the crappiest GTX 280 I have ever seen on earth was alot of fun, 3Dmark 01 really rocks, and especially bench it alone is really a big satisfaction.

Another Biatch in da house, lets see…

Fri, 22 Apr 2011 17:15:46 +0000

I would like to write another kind of title, something like Benches and lots of fun, but when da biatch is involved you better forget the word fun.
So, no fun, or at least not as much fun as when benching with 1366 stuff, but still worth to write a small article here.
Same stuff as the previous writeup except for the CPU, yesterday I went to a local PC shop and bought a 2600K for a good price.
Not a killer chip but also not that bad, I would say that I’m quite happy cause this one behaves well at -50° C and works bench stable at 5400 MHz.
With this frequency I’m quite sure that a good ammount of n44bs are going to be pwned in the next weeks, the main objective is to do a good 3dmark 01 (with good I mean 123k +) using a single GTX280 and LN2 cooling.

After 2 months of waiting Sandy Bridge is here

Fri, 08 Apr 2011 17:50:54 +0000

Like the title says after 2 months lost with dead board and RMA related stuff finally I’ve the pleasure to play with da biatch…
Honestly, the only things that really impress me are the performances, this crap is scary fast in both of my favourite benchmarks: 3dMark 01 and Super-pi 32M.
The bad thing is that quite everything except performance isn’t exactly like I would, just to name some problems:

i7-920 @ LN2 32M fun – someone called for pwnage?

Thu, 17 Mar 2011 18:06:48 +0000

Today I and my friend Guglio had a 4 hours LN2 bench session with my good old i7-920.
After alot of pretesting with the Single Stage we managed to get a great 3rd place in the 920’s ranking on the bot.
We are really proud of it because not many days ago some guys said that I’m a fucking lamer, probably they didn’t look at HWbot or at the 32M low clock challenge on XS…

i7-920 – SingleStage 32M testing

Tue, 25 Jan 2011 18:17:43 +0000

While all the guys around there are working on the new Sandy Bitch stuff I’m still stucking with my old bloomfield setup.
When something new come out I’m always a bit reluctant at the idea of buying without knowing everything about it, Sandy Bitch is freakin’ fast clock to clock but also have alot of downsides – just for example: no BCLKclocking, Elpida Hyper act weird with most CPU/mobo, 3dmark 01 gives strange results with everything except Gigabyte board and much more…
– Back on topic – There’s not alot to say here, I did just a really quick run that end up with an interesting result.

Kingston HyperX are on fire

Wed, 05 Jan 2011 18:18:41 +0000

Not fancy stuff here, also not gay stuff or lo-vo crap…no way, I’m not going to do this, never.
My way of life when talking about overclock is: get the crap out of everything you have in your hand and if it scale feed it with MOOOOAR volt.
Even this time I’ve tried to do my best – and I think that something interesting came out.
Like the title says here we are talking about the component that I love more: the RAM.
Since DDR2 time I was in love with RAM, the time goes on but the memory addiction still persist.
I still have a KIT of Crucial PC8500 batch 18F – if you know about DDR2 you know what I’m talking about – and 2 KITs of Cellshock PC8000 D9-GKX – damn crazy RAM, love ’em – and PC6400 D9-GMH.
Ok, that’s enough, let’s make the pics talk…

i7-950 + E760 + STT 2k = 32M fun

Fri, 12 Nov 2010 18:27:28 +0000

After 3 weeks of prestesting now it’s time to put my new E760 under LN2.
The config is still pretty the same I’ve used in the past 3 month except for the RAM, this time I used a good 3×2 GB kit of SuperTalent.

AOC + Coolbits + Mafio = 06 and vantage fun with HD4870 !!

Mon, 06 Sep 2010 18:36:07 +0000

Yesterday I, Coolbits, The King and |ron met in Monza, we had 30 litres of LN2 and some stuff to test.

Config:

The main objectives were to do a super-pi 32M, 06 and vantage with our HD4870.
The limit for 32M with 1.83 volt was around 5.7 GHZ, unfortunately we can’t feed the uncore with more than 1.45 volt because of stability issue with higher voltage…then low uncore frequency.
No matter what CPU PLL voltage we use, CBB and CB were both around -125°, not a great CPU.

Meeting @ Castagnito (Asti, Italy) – 4/5 August 2010

Wed, 11 Aug 2010 18:37:16 +0000

Wednesday and thursday of the past week I and my 2 friends 7ornado (Simone) and The King (Marco) meet at Castagnito (Italy, near Asti, a place famous for wine and truffles).
We had 100 litres of LN2 and a lot of hardware.

7ornado and the king used:

i7-975
my A-Data 2133X MNH-E-Hyper
HD4870 Sapphire 1 GB
the good old Enermax Galaxy 1 KWatt
ryba CPU and GPU pot

I used:

Back in real business – round 1

Tue, 06 Jul 2010 18:52:58 +0000

Nothing special here, no WR or something like that but today finally I had 10 litres of LN2 to try my i7 950.
I’m happy because it’s been a long time since I had a good bench session at LN2, in the last six months I lost my time with p4 (8.1 GHZ then the RE died….), phenom 1090T with a crappy MSI 890FX and another bunch of rubbish…
Now seems that the luck is coming back, this 950 works pretty well.****

i7 950 + DFI UT X58 + HD4890…pwnage incoming

Sun, 23 May 2010 20:54:51 +0000

Few weeks ago I got an i7 950 from ebay.
The first impression was good, it has a really strong IMCH and it’s damn hot…then probably it has low cold bug.
Before put it under LN2, as I always do, I’m testing it with my single stage phase change (for more info look at Cooling section).
The maximum core frequency that I can reach isn’t that good, but I think that with more cold it will give me tons of others MHZ.

Back in business…P4 631 alien, 8+ GHz

Fri, 23 Apr 2010 20:59:28 +0000

It was 10 April 2010, AOC (me, the king, 7ornado and |ron) is back in business.
After long time we decide to test another time Alien, a Pentium 631 that 2 years ago got the frequency absolute world record.
This time we used a Rampage Extreme, the mobo looked pretty solid but not as good as the good old ASUS Commando.
BTW we got 8025 MHZ, the precedent WR made with this CPU was 8180 MHZ.
In the next months probably we will retry it maybe with a Commando and maybe we will get back in Italy the frequency WR.